Solved: Eval and If else value return or else null - Splunk Community

Splunk Search

Hello Splunkers,

Im constructing Eval field " user1" actually user field contain 5 digit number so i have to construct a EVAL field like

index= XXX| "xxxxx" |eval user1 = if((user_pin > 0), "user_pin", "Unknown") | table user1 user_pin

If "user1" field is 7 digit then in just return actual 7 digit number or else if it is string just say "null value"

EVAL-user = if((user1== 5 digit number ) "reportactull number ", "report null value ")

Please let me know

1 Solution

Solution

You say both 7-digit and 5-digit but I am assuming that you mean the latter, so like this:

EVAL-user=if(match(user1, "^\d{5}$"), user1, "null value")

View solution in original post

Solution

You say both 7-digit and 5-digit but I am assuming that you mean the latter, so like this:

EVAL-user=if(match(user1, "^\d{5}$"), user1, "null value")

Thanks that worked ..if i want to capture word or digit In case 5 -7 digit number or 5-8 word id.

I need to match below to construct eval field.

user
X234578
wertyui
kxtur
lytue23

Change d{5} to d{5-8} or similar.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...