Solved: How do I combine two searches in an eval command?

KyleMcDougall · ‎09-15-2022

Hello,

How do I combine two searches in an eval command? In the example below, I'm trying to create a value for "followup_live_agent" and "caller_silence" values. Splunk is telling me this query is invalid.

index=conversation sourcetype=cui-orchestration-log botId=123456
| eval AgentRequests=if(match(intent, "followup_live_agent" OR "caller_silence"), 1, 0)

Any help is much appreciated!

richgalloway · ‎09-15-2022

The match function does not accept boolean expressions - only expects strings and fields containing strings. Try breaking it into 2 match calls.

index=conversation sourcetype=cui-orchestration-log botId=123456
| eval AgentRequests=if(match(intent, "followup_live_agent") OR match(intent, "caller_silence"), 1, 0)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-15-2022

The match function does not accept boolean expressions - only expects strings and fields containing strings. Try breaking it into 2 match calls.

index=conversation sourcetype=cui-orchestration-log botId=123456
| eval AgentRequests=if(match(intent, "followup_live_agent") OR match(intent, "caller_silence"), 1, 0)

---
If this reply helps you, Karma would be appreciated.

How do I combine two searches in an eval command?

eval

stats

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)