Splunk Search

How to use a Boolean string from lookup table in search

skadirov1
New Member

I have Boolean string with multiple ORs- code!=x OR code!=y OR etc. When I look it up and use in search it evaluates to string and not Boolean in the eval function. I get error message that a Boolean was expected. Is there a way to force a string to evaluate to Boolean? The string works fine when defined as macro, but I need it in the lookup. Thanks

Tags (1)
0 Karma

knielsen
Contributor

It would be easier if you give a search as example.

You might be able to get what you need by using the "return" function.

In this example, result will be "ok", because the string "foo=\"something\" OR foo=\"whatever\"" will be turned into a boolean expression by return:

| makeresults | eval foo="something" | eval result=if([|makeresults | eval string="foo=\"something\" OR foo=\"whatever\""|return $string],"ok","nok")

So your lookup would go into the if clause, finished by a return.

Hth,
Kai.

0 Karma

skadirov1
New Member

Thanks Kai. What is makeresult? The string with boolean ORs comes from lookup acvsfile errortype OUTPUT errorsToExclude. How can i pass errorsToExclude into eval(errorsToExclude OR TIME>1000))?

0 Karma

p_gurav
Champion

Can you give sample data?

0 Karma

skadirov1
New Member

Sure.
-code=123
-code=456
-code=789

Splunk Error='Typechecking failed. 'OR' only takes boolean arguments.'

for count(eval(errorsToExclude OR TIME>1000))

In the lookup
errorsToExclude=code!=1 OR code!=2 ...

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...