Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval and if commands return unexpected result

ddrillic
Ultra Champion
‎04-03-2016 02:14 PM

The question relates to https://answers.splunk.com/answers/387510/alternatives-to-using-join-command.html

index=provider source="*part-m-00009*"

returns events that belong to a scoop file which contains a part-m-00009 string in its name. 

(index=provider source="*part-m-00009*")
 | eval tin_provider=if(source="*part-m-00009*","XXXX","ccccc")

returns ccccc for the tin_provider field.

Does it make sense?

I'm also trying -

| eval tin_provider=if(source=="*part-m-00009*","XXXX","ccccc")

Meaning, double equal with the same results, which is also weird.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-03-2016 02:47 PM

The operator = has different meaning in the search command (wildcard matching) and the eval command (equality).

To get wildcard matching in eval, you can use match() with regular expressions, like() with SQL-style wildcards, or searchmatch() to get asterisk wildcards like in the search command. Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions for more info.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-03-2016 02:47 PM

The operator = has different meaning in the search command (wildcard matching) and the eval command (equality).

To get wildcard matching in eval, you can use match() with regular expressions, like() with SQL-style wildcards, or searchmatch() to get asterisk wildcards like in the search command. Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions for more info.

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎04-03-2016 05:23 PM

Beautiful thing !!! it works -

| eval tin_provider=if(like(source,"%part-m-00009%"),"XXXX","ccccc")
0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎04-03-2016 02:34 PM

hmm i wonder if the quotes around the source in your eval if is causing it to literally look for source containing asterisk...will test and let you know...

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...