Splunk Search

How to add a character to front of result if true in an if statement?

alex389
Engager

Hi, I want to use an eval if statement to add a minus onto the original value if it's is true. I am using table command to display these results.

Value0 = 10
Value1 = No

In the above scenario I want Value0 to to become -10

What I have so far only replaces Value0 with "-" only and does not retain the original Value0. What is the correct way to do this

Search | eval Value0=if(Value1="No", "-" ,Value0)

Thank you

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@alex389,

eval Value0=if(Value1=="No",-1*Value0,Value0)
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@alex389,

eval Value0=if(Value1=="No",-1*Value0,Value0)
Happy Splunking!

renjith_nair
SplunkTrust
SplunkTrust

Just in case if you need a '-' character for non integer field then, "." is the concatenation operator.

eval Value0=if(Value1=="No","-".Value0,Value0)
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...