Splunk Search

Eval and if commands return unexpected result

ddrillic
Ultra Champion

The question relates to https://answers.splunk.com/answers/387510/alternatives-to-using-join-command.html

index=provider source="*part-m-00009*" 

returns events that belong to a scoop file which contains a part-m-00009 string in its name.

(index=provider source="*part-m-00009*")
 | eval tin_provider=if(source="*part-m-00009*","XXXX","ccccc")

returns ccccc for the tin_provider field.

Does it make sense?

I'm also trying -

| eval tin_provider=if(source=="*part-m-00009*","XXXX","ccccc")

Meaning, double equal with the same results, which is also weird.

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The operator = has different meaning in the search command (wildcard matching) and the eval command (equality).

To get wildcard matching in eval, you can use match() with regular expressions, like() with SQL-style wildcards, or searchmatch() to get asterisk wildcards like in the search command. Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions for more info.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

The operator = has different meaning in the search command (wildcard matching) and the eval command (equality).

To get wildcard matching in eval, you can use match() with regular expressions, like() with SQL-style wildcards, or searchmatch() to get asterisk wildcards like in the search command. Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions for more info.

ddrillic
Ultra Champion

Beautiful thing !!! it works -

| eval tin_provider=if(like(source,"%part-m-00009%"),"XXXX","ccccc")
0 Karma

mattymo
Splunk Employee
Splunk Employee

hmm i wonder if the quotes around the source in your eval if is causing it to literally look for source containing asterisk...will test and let you know...

- MattyMo
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...