Splunk Search

Eval and if commands return unexpected result

ddrillic
Ultra Champion

The question relates to https://answers.splunk.com/answers/387510/alternatives-to-using-join-command.html

index=provider source="*part-m-00009*" 

returns events that belong to a scoop file which contains a part-m-00009 string in its name.

(index=provider source="*part-m-00009*")
 | eval tin_provider=if(source="*part-m-00009*","XXXX","ccccc")

returns ccccc for the tin_provider field.

Does it make sense?

I'm also trying -

| eval tin_provider=if(source=="*part-m-00009*","XXXX","ccccc")

Meaning, double equal with the same results, which is also weird.

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The operator = has different meaning in the search command (wildcard matching) and the eval command (equality).

To get wildcard matching in eval, you can use match() with regular expressions, like() with SQL-style wildcards, or searchmatch() to get asterisk wildcards like in the search command. Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions for more info.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

The operator = has different meaning in the search command (wildcard matching) and the eval command (equality).

To get wildcard matching in eval, you can use match() with regular expressions, like() with SQL-style wildcards, or searchmatch() to get asterisk wildcards like in the search command. Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions for more info.

ddrillic
Ultra Champion

Beautiful thing !!! it works -

| eval tin_provider=if(like(source,"%part-m-00009%"),"XXXX","ccccc")
0 Karma

mattymo
Splunk Employee
Splunk Employee

hmm i wonder if the quotes around the source in your eval if is causing it to literally look for source containing asterisk...will test and let you know...

- MattyMo
0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...