Splunk Search

How to use a Boolean string from lookup table in search

skadirov1
New Member

I have Boolean string with multiple ORs- code!=x OR code!=y OR etc. When I look it up and use in search it evaluates to string and not Boolean in the eval function. I get error message that a Boolean was expected. Is there a way to force a string to evaluate to Boolean? The string works fine when defined as macro, but I need it in the lookup. Thanks

Tags (1)
0 Karma

knielsen
Contributor

It would be easier if you give a search as example.

You might be able to get what you need by using the "return" function.

In this example, result will be "ok", because the string "foo=\"something\" OR foo=\"whatever\"" will be turned into a boolean expression by return:

| makeresults | eval foo="something" | eval result=if([|makeresults | eval string="foo=\"something\" OR foo=\"whatever\""|return $string],"ok","nok")

So your lookup would go into the if clause, finished by a return.

Hth,
Kai.

0 Karma

skadirov1
New Member

Thanks Kai. What is makeresult? The string with boolean ORs comes from lookup acvsfile errortype OUTPUT errorsToExclude. How can i pass errorsToExclude into eval(errorsToExclude OR TIME>1000))?

0 Karma

p_gurav
Champion

Can you give sample data?

0 Karma

skadirov1
New Member

Sure.
-code=123
-code=456
-code=789

Splunk Error='Typechecking failed. 'OR' only takes boolean arguments.'

for count(eval(errorsToExclude OR TIME>1000))

In the lookup
errorsToExclude=code!=1 OR code!=2 ...

0 Karma
Get Updates on the Splunk Community!

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and Splunk ES Protecting a ...

It's Customer Success Time at .conf25

Hello Splunkers,   Ready for .conf25? The customer success and experience team is and can’t wait to see you ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...