Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Funkyness with Eval

tmarlette
Motivator
‎03-05-2014 12:46 PM

SO I am using an EVAL command in one of my searches in order to name process state as "OK" or "DOWN". This is my Query:

 sourcetype=WMI:Service Name=VMTools | dedup host,Name | eval State = if(State == Running, "OK","DOWN") | table _time,host,Name,State

When I do I get the process is down, even if it's running. Please take a look at the image:

alt text

Now when I remove the "EVAL" Statement in the query above, it looks just fine. This is the query I am using: 

sourcetype=WMI:Service Name=VMTools | dedup host,Name | table _time,host,Name,State

This is the image for the results no less than 1 minute after the previous image:
alt text

I am just wondering if I am doing something wrong? I checked the documentation, but I haven't seen this behavior before. I've been looking at this for awhile, and I'm wondering if there is a simple syntax error i'm overlooking?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aelliott
Motivator
‎03-05-2014 12:51 PM

perhaps quotation marks around "Running"?
It may be looking for the field named Running.

View solution in original post

Reply
Solved! Jump to solution
Solution

aelliott
Motivator
‎03-05-2014 12:51 PM

perhaps quotation marks around "Running"?
It may be looking for the field named Running.

Reply
Solved! Jump to solution

tmarlette
Motivator
‎03-05-2014 12:59 PM

Oh... My... God..... I feel completely inadequate. Thank you very much sir!

so long... everything looks the same!!

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎03-05-2014 12:49 PM

Running a search on every service on that machine WITH the EVAL statement, it shows every service as "DOWN".

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...