Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to run a search within an eval if statement?

WoolarCJ
New Member
‎10-11-2016 11:28 AM

Hello,

I am wondering if it possible to do a search within an "if" statement. I have tried what I have in the search below, but it does not appear to be working. Any assistance is helpful. Please be aware this is just a test search to see if this is possible, the search within the if statement will be changed at a later time.

|inputlookup TEST.csv 
| lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN 
| where !isnull(Valid_User) AND type="Group" 
| fields - Valid_User message_id 
|ldapfilter search="(memberOf=$DN$)" attrs="mail"
|rename mail AS Recipient   
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host], "")   
|table Recipient Subject type

Thanks.

0 Karma
Reply

somesoni2
Revered Legend
‎10-11-2016 11:49 AM

As long as you search is returning a string/number, in single row that can be assigned/used in eval expression, it'll work.

|inputlookup TEST.csv 
 | lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN 
 | where !isnull(Valid_User) AND type="Group" 
 | fields - Valid_User message_id 
 |ldapfilter search="(memberOf=$DN$)" attrs="mail"
 |rename mail AS Recipient   
 |eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | eval search="\"".host."\"" | table search ], "")   
 |table Recipient Subject type

So the subsearch within eval is returning just single string value, enclosed in double quotes.

Reply

nisha_kapoor
Path Finder
‎07-06-2017 02:59 PM

I have the same issue, however my search returns a table. Based on the if condition one of two searches is executed and the return type in both cases is a table. Any suggestions?

0 Karma
Reply

sansay1
Explorer
‎01-14-2020 11:25 AM

Unfortunately, all my numerous tests show that the query in the test case will run regardless of the tests results.

0 Karma
Reply

WoolarCJ
New Member
‎10-12-2016 04:07 AM

I ran the search you provided(I changed some of the wording to fit my environment) I keep getting this error. Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , "")'. Any idea as to why this is happening?

0 Karma
Reply

rjthibod
Champion
‎10-12-2016 04:34 AM

I think you need to use return host or return $host after head 1 | instead of the eval search ... | table search

something like 

|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return host], "")

or 

|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return $host], "")
0 Karma
Reply

loveforsplunk
Explorer
‎05-31-2017 12:08 AM

Your second search worked. We have to put return $field.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...