Splunk Search

How to add a character to front of result if true in an if statement?

alex389
Engager

Hi, I want to use an eval if statement to add a minus onto the original value if it's is true. I am using table command to display these results.

Value0 = 10
Value1 = No

In the above scenario I want Value0 to to become -10

What I have so far only replaces Value0 with "-" only and does not retain the original Value0. What is the correct way to do this

Search | eval Value0=if(Value1="No", "-" ,Value0)

Thank you

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@alex389,

eval Value0=if(Value1=="No",-1*Value0,Value0)
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@alex389,

eval Value0=if(Value1=="No",-1*Value0,Value0)
Happy Splunking!

renjith_nair
SplunkTrust
SplunkTrust

Just in case if you need a '-' character for non integer field then, "." is the concatenation operator.

eval Value0=if(Value1=="No","-".Value0,Value0)
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...