Splunk Search

How to get this eval statement to isolate the search to just two values?

msage
Path Finder

Working on a search where there's a field (Office Location) with about 5 different values that are stored in a lookup file. We're looking at attendance at a specific office (office 1) and differentiating who's actually going in. Specifically, we want to isolate people assigned to office 1 and those that are assigned to a different office. The original search looks like this but it would populate all the locations rather than just office 1 or not.

 

index=index EVDESCR="event" READERDESC="reader"
| lookup users.csv ID as EMPLOYEE_ID 
|timechart span=1d dc(CARDNUM) by Location limit=0

 

 

I tried using this eval statement to hopefully isolate the search to just two values. Yes, home office or no home office. 

 

 

|eval Home=if(Location"office1", yes, no) 

 

 

 The problem is this eval statement doesn't work and I'm not sure what I'm doing wrong. Any help is appreciated. 

Labels (4)
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval Home=if(Location="office1", "yes", "no") 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval Home=if(Location="office1", "yes", "no") 

msage
Path Finder

Actually you were correct. Not having the quotation marks was what was giving me issues. 

0 Karma

msage
Path Finder

Tried that and it won't work for whatever reason. All the results are blank

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...