Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to run a search within an eval if statement?

WoolarCJ
New Member
‎10-11-2016 11:28 AM

Hello,

I am wondering if it possible to do a search within an "if" statement. I have tried what I have in the search below, but it does not appear to be working. Any assistance is helpful. Please be aware this is just a test search to see if this is possible, the search within the if statement will be changed at a later time.

|inputlookup TEST.csv 
| lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN 
| where !isnull(Valid_User) AND type="Group" 
| fields - Valid_User message_id 
|ldapfilter search="(memberOf=$DN$)" attrs="mail"
|rename mail AS Recipient   
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host], "")   
|table Recipient Subject type

Thanks.

0 Karma
Reply

somesoni2
Revered Legend
‎10-11-2016 11:49 AM

As long as you search is returning a string/number, in single row that can be assigned/used in eval expression, it'll work.

|inputlookup TEST.csv 
 | lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN 
 | where !isnull(Valid_User) AND type="Group" 
 | fields - Valid_User message_id 
 |ldapfilter search="(memberOf=$DN$)" attrs="mail"
 |rename mail AS Recipient   
 |eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | eval search="\"".host."\"" | table search ], "")   
 |table Recipient Subject type

So the subsearch within eval is returning just single string value, enclosed in double quotes.

Reply

nisha_kapoor
Path Finder
‎07-06-2017 02:59 PM

I have the same issue, however my search returns a table. Based on the if condition one of two searches is executed and the return type in both cases is a table. Any suggestions?

0 Karma
Reply

sansay1
Explorer
‎01-14-2020 11:25 AM

Unfortunately, all my numerous tests show that the query in the test case will run regardless of the tests results.

0 Karma
Reply

WoolarCJ
New Member
‎10-12-2016 04:07 AM

I ran the search you provided(I changed some of the wording to fit my environment) I keep getting this error. Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , "")'. Any idea as to why this is happening?

0 Karma
Reply

rjthibod
Champion
‎10-12-2016 04:34 AM

I think you need to use return host or return $host after head 1 | instead of the eval search ... | table search

something like 

|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return host], "")

or 

|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return $host], "")
0 Karma
Reply

loveforsplunk
Explorer
‎05-31-2017 12:08 AM

Your second search worked. We have to put return $field.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Top