Solved: How do I combine two searches in an eval command?

KyleMcDougall · ‎09-15-2022

Hello,

How do I combine two searches in an eval command? In the example below, I'm trying to create a value for "followup_live_agent" and "caller_silence" values. Splunk is telling me this query is invalid.

index=conversation sourcetype=cui-orchestration-log botId=123456
| eval AgentRequests=if(match(intent, "followup_live_agent" OR "caller_silence"), 1, 0)

Any help is much appreciated!

richgalloway · ‎09-15-2022

The match function does not accept boolean expressions - only expects strings and fields containing strings. Try breaking it into 2 match calls.

index=conversation sourcetype=cui-orchestration-log botId=123456
| eval AgentRequests=if(match(intent, "followup_live_agent") OR match(intent, "caller_silence"), 1, 0)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-15-2022

The match function does not accept boolean expressions - only expects strings and fields containing strings. Try breaking it into 2 match calls.

index=conversation sourcetype=cui-orchestration-log botId=123456
| eval AgentRequests=if(match(intent, "followup_live_agent") OR match(intent, "caller_silence"), 1, 0)

---
If this reply helps you, Karma would be appreciated.

How do I combine two searches in an eval command?

eval

stats

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!