Solved: Eval and If else value return or else null - Splunk Community

Splunk Search

Hello Splunkers,

Im constructing Eval field " user1" actually user field contain 5 digit number so i have to construct a EVAL field like

index= XXX| "xxxxx" |eval user1 = if((user_pin > 0), "user_pin", "Unknown") | table user1 user_pin

If "user1" field is 7 digit then in just return actual 7 digit number or else if it is string just say "null value"

EVAL-user = if((user1== 5 digit number ) "reportactull number ", "report null value ")

Please let me know

1 Solution

Solution

You say both 7-digit and 5-digit but I am assuming that you mean the latter, so like this:

EVAL-user=if(match(user1, "^\d{5}$"), user1, "null value")

View solution in original post

Solution

You say both 7-digit and 5-digit but I am assuming that you mean the latter, so like this:

EVAL-user=if(match(user1, "^\d{5}$"), user1, "null value")

Thanks that worked ..if i want to capture word or digit In case 5 -7 digit number or 5-8 word id.

I need to match below to construct eval field.

user
X234578
wertyui
kxtur
lytue23

Change d{5} to d{5-8} or similar.

Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...