Solved: Reassign (or keep) variable in eval's IF statement

kevintelford · ‎07-29-2011

I have two variables and based on one would like to possible change the value of the other:

.. | eval a="foo" | eval b="some value" | eval a=if(match(b, "kittens"), "bar", a)

So if b contains 'kittens' make a's value equal 'bar', otherwise keep it 'foo'. Is this possible? As it stands now a only ever has a value when b contains 'kittens'.

Thanks,
Kevin

fk319 · ‎07-29-2011

well it seems it should work, so I went to my code to see how I implemented it, I ended up using a case command with the last expression as 1==1.

 eval a=case(match(b, "kittens"), "bar", 1==1,a)

It seems that I had the same issue also, and this was how I was able to get it to work.

View solution in original post

fk319 · ‎07-29-2011

well it seems it should work, so I went to my code to see how I implemented it, I ended up using a case command with the last expression as 1==1.

 eval a=case(match(b, "kittens"), "bar", 1==1,a)

It seems that I had the same issue also, and this was how I was able to get it to work.

kevintelford · ‎07-29-2011

Cool deal, too bad it doesn't work with if as well, but this will do just fine. Thanks!

Reassign (or keep) variable in eval's IF statement

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Reassign (or keep) variable in eval's IF statement

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25