Splunk Search

How to use a Boolean string from lookup table in search

skadirov1
New Member

I have Boolean string with multiple ORs- code!=x OR code!=y OR etc. When I look it up and use in search it evaluates to string and not Boolean in the eval function. I get error message that a Boolean was expected. Is there a way to force a string to evaluate to Boolean? The string works fine when defined as macro, but I need it in the lookup. Thanks

Tags (1)
0 Karma

knielsen
Contributor

It would be easier if you give a search as example.

You might be able to get what you need by using the "return" function.

In this example, result will be "ok", because the string "foo=\"something\" OR foo=\"whatever\"" will be turned into a boolean expression by return:

| makeresults | eval foo="something" | eval result=if([|makeresults | eval string="foo=\"something\" OR foo=\"whatever\""|return $string],"ok","nok")

So your lookup would go into the if clause, finished by a return.

Hth,
Kai.

0 Karma

skadirov1
New Member

Thanks Kai. What is makeresult? The string with boolean ORs comes from lookup acvsfile errortype OUTPUT errorsToExclude. How can i pass errorsToExclude into eval(errorsToExclude OR TIME>1000))?

0 Karma

p_gurav
Champion

Can you give sample data?

0 Karma

skadirov1
New Member

Sure.
-code=123
-code=456
-code=789

Splunk Error='Typechecking failed. 'OR' only takes boolean arguments.'

for count(eval(errorsToExclude OR TIME>1000))

In the lookup
errorsToExclude=code!=1 OR code!=2 ...

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...