- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I edit my "eval if match" syntax to evaluate complex combinations with precedence on the order of operation?
jclemons7
Path Finder
10-15-2015
11:52 AM
Hello all,
I have the following eval function which functions properly:
| eval my_count=if(match(lower(FieldName),"\\\filename.exe"),1,0)
But I want to evaluate a few things in the if statement and need them to have precedence on the order of operation. What I'd like to be able to say is if FieldName contains \filename.exe
OR (bob AND uncle) then 1, else 0, but for the life of me, I can't get the expected results.
Any help is greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
richgalloway
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
10-15-2015
12:19 PM
Here's a run-anywhere example.
|metadata type=sources | head 1 | eval FieldName="filename.exe" | eval bob=1 | eval uncle=1 | eval my_count=if(match(lower(FieldName),"\\\filename.exe") OR (bob==1 AND uncle==1),1,0) | table FieldName bob uncle my_count
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""