How to use a Boolean string from lookup table in s...

skadirov1 · ‎04-16-2018

I have Boolean string with multiple ORs- code!=x OR code!=y OR etc. When I look it up and use in search it evaluates to string and not Boolean in the eval function. I get error message that a Boolean was expected. Is there a way to force a string to evaluate to Boolean? The string works fine when defined as macro, but I need it in the lookup. Thanks

knielsen · ‎04-17-2018

It would be easier if you give a search as example.

You might be able to get what you need by using the "return" function.

In this example, result will be "ok", because the string "foo=\"something\" OR foo=\"whatever\"" will be turned into a boolean expression by return:

| makeresults | eval foo="something" | eval result=if([|makeresults | eval string="foo=\"something\" OR foo=\"whatever\""|return $string],"ok","nok")

So your lookup would go into the if clause, finished by a return.

Hth,
Kai.

skadirov1 · ‎04-17-2018

Thanks Kai. What is makeresult? The string with boolean ORs comes from lookup acvsfile errortype OUTPUT errorsToExclude. How can i pass errorsToExclude into eval(errorsToExclude OR TIME>1000))?

p_gurav · ‎04-16-2018

Can you give sample data?

skadirov1 · ‎04-17-2018

Sure.
-code=123
-code=456
-code=789

Splunk Error='Typechecking failed. 'OR' only takes boolean arguments.'

for count(eval(errorsToExclude OR TIME>1000))

In the lookup
errorsToExclude=code!=1 OR code!=2 ...

How to use a Boolean string from lookup table in search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation