Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need help with eval and if then statement - showin...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Need help with eval and if then statement - showing errors.

UMDTERPS

Communicator

01-29-2019
09:38 AM

```
| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
```

The above search works and returns all of the columns needed and adds the correct numbers to the columns.

However, I am trying run an eval and if then statement after the above search as follows:

```
| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")
```

The above search fails with the following error:

Error in 'eval' command: Fields cannot

be assigned a boolean result. Instead,

try if([bool expr], [expr], [expr]).

The search job has failed due to an

error. You may be able view the job in

the Job Inspector.

If I run just the search:

```
|search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model
```

It runs just fine.

Any ideas why the | eval search1 = if is not working?

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

adonio

SplunkTrust

01-31-2019
10:55 AM

try this:

`| where index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model`

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

vishaltaneja070

Builder

01-31-2019
10:31 PM

| makeresults | eval bigfix=1 | eval norton=1 | eval mcafee=0

| eval newbigfix=if(bigfix = 1,1,0)

| eval newnorton=if(norton = 1,3,0)

| eval newmcafee=if(mcafee = 1,6,0)

| eval search*score = newbigfix + newnorton + newmcafee
| eval search1 = if (search*score == 4, "index=bigfix IPAddress =198.168.1.25 | table IPAddress CompName MAC OS Manufacturer Model","")

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

UMDTERPS

Communicator

02-01-2019
06:07 AM

Hello!

For this search we are using a lookuptable (CSV), so | inputlookup list.csv needs to be there.

For further clarification the eval statement below:

| inputlookup list.csv

| eval newbigfix=if(bigfix = 1,1,0)

| eval newnorton=if(norton = 1,3,0)

| eval newmcafee=if(mcafee = 1,6,0)

| eval search_score = newbigfix + newnorton + newmcafee

adds

`| eval newbigfix=if(bigfix = 1,1,0)`

What this statement is saying is that if the ip has a 1 in the bigfix field we assign it a 1, if it doesn't -it assigns it a 0 (because it doesn't have big fix). The number it gets assigned goes into the "newbigfix" field.

The above is that same for all 3 eval statements. Once the "New" score is assigned for a given IP, I do an eval to add up all of the numbers and place the number in a new field called "search score":

```
| eval search_score = newbigfix + newnorton + newmcafee
```

In order to return the correct fields, I use another eval statement "search1" to return fields based on the "search_score"

```
| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

UMDTERPS

Communicator

02-06-2019
07:48 AM

command must be the first command of a

search. The search job has failed due

to an error. You may be able view the

job in the Job Inspector.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

woodcock

Esteemed Legend

02-01-2019
09:39 AM

Give me a mockup of what you expect `search1`

to contain at the end.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

UMDTERPS

Communicator

02-04-2019
12:24 PM

We have 4 fields in the | inputlookup list.csv as follows:

```
ip bigfix norton mcafee
198.168.1.25 1 0 0
1. | inputlookup list.csv
2. | eval newbigfix=if(bigfix = 1,1,0)
3. | eval newnorton=if(norton = 1,3,0)
4. | eval newmcafee=if(mcafee = 1,6,0)
5. | eval search_score = newbigfix + newnorton + newmcafee
```

The if then eval statements looks at the fields to see if there is a 0 or 1 in each of the agent fields and then creates a new column called “search_score” by adding all of the numbers agent field numbers together and assigns a score:

```
ip bigfix norton mcafee search_score
198.168.1.25 1 0 0 1
```

For example, in the case of 198.168.1.25, the if than statement sees that there is a 1 for bigfix and a 0 for norton and mcafee. The final eval statement will add all of the scores together and assign a score. In this case, because 198.168.1.25 only has a 1 for bigfix and 0 for norton and mcafee, it will be assigned a 1 for the newly created "search_score" field.

- | eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

In regards to your question, “search1" looks to see which ips have a search score equal to 1, because we know that having a search*score equal to 1 can only mean the ip has a 1 for big fix. search1 will return the following fields from bigfix- IPAddress, CompName, MAC , OS, Manufacturer, Model. If the ip has a search*score of 4, we know the ip has bigfix and norton, search1 will return fields from bigfix and norton. I chose just to use bigfix in search1 as an example to make it less complicated to explain for help.

Does that help in better understanding of what search 1 is suppose to do?

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

woodcock

Esteemed Legend

02-08-2019
12:05 PM

`| eval search_score = newbigfix + newnortn + newmcafee`

line executes. Then DO NOT SHOW ANY MORE SPL. Just show me how you would like those 5 lines transformed for your final result.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Need help with eval and if then statement - showing errors.

woodcock

Esteemed Legend

02-11-2019
10:23 PM

Maybe this?

```
index="bigfix"
[|inputlookup list.csv
| eval search_score = if(bigfix = 1,1,0) + if(norton = 1,3,0) + if(mcafee = 1,6,0)
| where search_score==1
| rename ip AS IPAddress
| table IPAddress]
| table IPAddress, CompName, MAC , OS, Manufacturer, Model
```