Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

If-statement does not work

HeinzWaescher
Motivator
‎07-24-2014 02:04 AM

Hi,

my search looks like this:

...
| eval month=strftime(_time, "%Y_%m")
| chart dc(user_id) as count by user_id, month
| stats dc(eval(if(2013_11="1" AND 2013_12="1", user_id, null()))) AS output

The stats command does not work and I don't know why

"Error in 'stats' command: The eval expression for dynamic field 'eval(if(2013_11="1", account_id, null()))' is invalid. Error='The expression is malformed. Expected ).' "

I've used such a command many times before and Splunk never complained about it.

BR

Heinz

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-24-2014 04:25 AM

Non-standard field names have to be enclosed in single quotes for where and eval:

... | stats dc(eval(if('2013_11'="1" AND '2013_12'="1", user_id, null()))) AS output

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-24-2014 04:25 AM

Non-standard field names have to be enclosed in single quotes for where and eval:

... | stats dc(eval(if('2013_11'="1" AND '2013_12'="1", user_id, null()))) AS output
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-24-2014 05:05 AM

thank you very much!

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-24-2014 02:57 AM

I just tried out another apporach and it seems to work fine:

...
| eval month=strftime(_time, "%Y_%m")
| stats values(month) AS months by user_id
| stats dc(eval(if(months="2013_11" AND months="2013_12", user_id, null()))) AS users
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-24-2014 02:28 AM

In the end, I want to have a chart that shows the number of active users in 2013_12, who have been active in 2013_11 as well.

I'm wondering, why it is not possible to use it in the if command? Using it as " | search 2013_01="1" is working, so Splunk seems to know that it is the fieldname here

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-24-2014 02:24 AM

These are the column names after the chart command. The Stats command should count number the users if the value in both columns is "1"

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-24-2014 02:21 AM

Why are you using 2013_11 and 2013_12 in if condition. Could you please tell us what are you trying there?
You need to use month in if, not its value. If you give us more details we can help you to write the search

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...