Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

If/Then To different Eval Statements

albyva
Communicator
‎09-22-2014 07:02 AM

I'm trying to have a Splunk Alert kick off an email (to an email script) and depending on the search query it should email Address1 or Address2. How do you I create this type of variable? Should I setup a where statement like | where search=Apples | eval email="address1" |where search=Oranges | eval email="address2" ????

Example:

[search yields Apples] | eval email="address1"

[search yields Oranges] | eval email="address2"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎09-22-2014 07:17 AM

You can club if and eval as below.

eval email=if(mycondition,"address1","address2")

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-22-2014 08:23 AM

Try this

| eval email=if(like(BPS,"%Gbps"),"address1","address2")
Reply
Solved! Jump to solution

albyva
Communicator
‎09-22-2014 08:29 AM

Thank You !!!! 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎09-22-2014 07:17 AM

You can club if and eval as below.

eval email=if(mycondition,"address1","address2")
Reply
Solved! Jump to solution

albyva
Communicator
‎09-22-2014 08:05 AM

Can you add a wildcard into mycondition?

I see where if(X,Y,Z) says: This function takes three arguments. The first argument X is a Boolean expression. If X evaluates to TRUE, the result is the second argument Y. Optionally, if X evaluates to FALSE, the result evaluates to the third argument Z.

My problem now is that (X) is something like 123.45 Gbps or 45.67 Mbps. My goal is to have Gbps send email to address1 and everything go to address2.

Example:

| eval email=if(BPS="Gbps","address1","address2")

The problem appears to be that if I say Gbps or even *Gbps in the X field, neither seem to work. It's only when I specify the exact value like 123.45 Gbps does it actually work. So what I need is a wildcard, but that isn't working. Any suggestions???

Thanks

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎09-22-2014 08:20 AM

Yes, you should be able to do it.. You can also try to extract just Gbps and Mbps into a field before the condition and try the comparison on that field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...