How to use a Boolean string from lookup table in s...

skadirov1 · ‎04-16-2018

I have Boolean string with multiple ORs- code!=x OR code!=y OR etc. When I look it up and use in search it evaluates to string and not Boolean in the eval function. I get error message that a Boolean was expected. Is there a way to force a string to evaluate to Boolean? The string works fine when defined as macro, but I need it in the lookup. Thanks

knielsen · ‎04-17-2018

It would be easier if you give a search as example.

You might be able to get what you need by using the "return" function.

In this example, result will be "ok", because the string "foo=\"something\" OR foo=\"whatever\"" will be turned into a boolean expression by return:

| makeresults | eval foo="something" | eval result=if([|makeresults | eval string="foo=\"something\" OR foo=\"whatever\""|return $string],"ok","nok")

So your lookup would go into the if clause, finished by a return.

Hth,
Kai.

skadirov1 · ‎04-17-2018

Thanks Kai. What is makeresult? The string with boolean ORs comes from lookup acvsfile errortype OUTPUT errorsToExclude. How can i pass errorsToExclude into eval(errorsToExclude OR TIME>1000))?

p_gurav · ‎04-16-2018

Can you give sample data?

skadirov1 · ‎04-17-2018

Sure.
-code=123
-code=456
-code=789

Splunk Error='Typechecking failed. 'OR' only takes boolean arguments.'

for count(eval(errorsToExclude OR TIME>1000))

In the lookup
errorsToExclude=code!=1 OR code!=2 ...

How to use a Boolean string from lookup table in search

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All