Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about eval if 4 arguments

Abarny
Path Finder
‎02-17-2017 01:19 AM

Hi, i try to select on same event with different Values and they give result différent but Splunk find none result. Can you tell me what is wrong on my command ? Thanks

eval Agent= if(isnull(Agent) OR ( Agent=="aaa*", "bbb*") OR (Agent=="ccc*" , "ddd*" ,"reee*")OR (Agent=="*"),Messagerie, AC,MANAGERS,TECHNICIENS )

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Abarny
Path Finder
‎02-17-2017 02:13 AM

Thanks :).

I try with your solution but I think it's false again. I am a trainee and I try to do my best. So just bear with me. ( and with my English :))

eval Personnel =case(Agent == null() , "Messagerie", Agent ==("aa*" OR "bb*"), "AC", Agent=="*",TECHNICIENS) |stats count by Personnel

The last Agent is for give the reste of the values

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Abarny
Path Finder
‎02-17-2017 02:13 AM

Thanks :).

I try with your solution but I think it's false again. I am a trainee and I try to do my best. So just bear with me. ( and with my English :))

eval Personnel =case(Agent == null() , "Messagerie", Agent ==("aa*" OR "bb*"), "AC", Agent=="*",TECHNICIENS) |stats count by Personnel

The last Agent is for give the reste of the values

0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-17-2017 06:55 AM

Thanks you Somesoni2 !!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-17-2017 06:44 AM

Give this a try

eval Personnel =case(isnull(Agent) , "Messagerie", like(Agent,"aa%") OR like(Agent,"bb%"), "AC", 1=1,TECHNICIENS) |stats count by Personnel

So,
If Agent is null - Personnel=Messagerie
if Agent="aa*" OR Agent="bb*"(in search * is wildcard, for like function in eval , % is wildcard), Personnel=AC
For all other cases, Personnel=TECHNICIENS

Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-17-2017 06:57 AM

Thanks you Somesoni2 !!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-17-2017 01:52 AM

(field="value1", "value2") is not a valid eval expression. If you're looking for a list of possible values, you will need to spell them out explicitly like this: (field="value1" OR field="value2").

Similarly, if() only takes three arguments - the condition, the then-value, and the else value. If you're trying to test several conditions and yield a different result for each condition, you'll want to use case() like this: case(condition1, value1, condition2, value2, ...)

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions#Comparison_and...

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...