Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

If/Then To different Eval Statements

albyva
Communicator
‎09-22-2014 07:02 AM

I'm trying to have a Splunk Alert kick off an email (to an email script) and depending on the search query it should email Address1 or Address2. How do you I create this type of variable? Should I setup a where statement like | where search=Apples | eval email="address1" |where search=Oranges | eval email="address2" ????

Example:

[search yields Apples] | eval email="address1"

[search yields Oranges] | eval email="address2"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎09-22-2014 07:17 AM

You can club if and eval as below.

eval email=if(mycondition,"address1","address2")

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-22-2014 08:23 AM

Try this

| eval email=if(like(BPS,"%Gbps"),"address1","address2")
Reply
Solved! Jump to solution

albyva
Communicator
‎09-22-2014 08:29 AM

Thank You !!!! 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎09-22-2014 07:17 AM

You can club if and eval as below.

eval email=if(mycondition,"address1","address2")
Reply
Solved! Jump to solution

albyva
Communicator
‎09-22-2014 08:05 AM

Can you add a wildcard into mycondition?

I see where if(X,Y,Z) says: This function takes three arguments. The first argument X is a Boolean expression. If X evaluates to TRUE, the result is the second argument Y. Optionally, if X evaluates to FALSE, the result evaluates to the third argument Z.

My problem now is that (X) is something like 123.45 Gbps or 45.67 Mbps. My goal is to have Gbps send email to address1 and everything go to address2.

Example:

| eval email=if(BPS="Gbps","address1","address2")

The problem appears to be that if I say Gbps or even *Gbps in the X field, neither seem to work. It's only when I specify the exact value like 123.45 Gbps does it actually work. So what I need is a wildcard, but that isn't working. Any suggestions???

Thanks

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎09-22-2014 08:20 AM

Yes, you should be able to do it.. You can also try to extract just Gbps and Mbps into a field before the condition and try the comparison on that field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...