Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Eval if function with 2 arguments

bleung93
Path Finder
โ€Ž04-16-2014 03:04 PM 
... | eval totalVolumeGB=if(totalVolumeGB=="0",maxTotalDataSizeMB*23/1024,totalVolumeGB)

How would I add in another argument inside the if function?

I want to apply the above search query in 2 different situations. By including "index=summary_*" and "index!=summary_*" essentially have 2 evals.

I have already tried inserting the following

if(totalVolumeGB=="0" && index=summary_*,maxTotalDataSizeMB*23/1024,totalVolumeGB)

but did not eval correctly. What are some options I can do?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
โ€Ž04-16-2014 03:53 PM

You cannot use the asterisk character like that, eval interprets it as multiplication and complains about not finding the second factor. Try this:

... | eval totalVolumeGB = if(totalVolumeGB=="0" AND NOT match(index, "^summary_"), maxTotalDataSizeMB*23/1024, totalVolumeGB)

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
โ€Ž04-16-2014 03:53 PM

You cannot use the asterisk character like that, eval interprets it as multiplication and complains about not finding the second factor. Try this:

... | eval totalVolumeGB = if(totalVolumeGB=="0" AND NOT match(index, "^summary_"), maxTotalDataSizeMB*23/1024, totalVolumeGB)

View solution in original post

Reply
Solved! Jump to solution

bleung93
Path Finder
โ€Ž04-16-2014 04:00 PM

This fixed it up. Thanks for the much needed help Martin.

0 Karma
Reply
Solved! Jump to solution

bleung93
Path Finder
โ€Ž04-16-2014 03:46 PM

I tried following the template in http://answers.splunk.com/answers/101356/and-in-if-statement

| eval totalVolumeGB=if((totalVolumeGB=="0")AND(index!=summary_),maxTotalDataSizeMB*10/1024,totalVolumeGB)
| eval totalVolumeGB=if((totalVolumeGB=="0")AND(index==summary_),maxTotalDataSizeMB*23/1024,totalVolumeGB)

Got an error banner stating as below...
"Error in 'eval' command: The expression is malformed. An unexpected character is reached at '),maxTotalDataSizeMB*10/1024,totalVolumeGB)'."

0 Karma
Reply
Solved! Jump to solution

bleung93
Path Finder
โ€Ž04-16-2014 03:05 PM

Resulting into something like this

... | eval totalVolumeGB=if(totalVolumeGB=="0" && index=summary_*,maxTotalDataSizeMB*23/1024,totalVolumeGB)

... | eval totalVolumeGB=if(totalVolumeGB=="0" && index!=summary_*,maxTotalDataSizeMB*10/1024,totalVolumeGB)

0 Karma
Reply