Solved: Reassign (or keep) variable in eval's IF statement

kevintelford · ‎07-29-2011

I have two variables and based on one would like to possible change the value of the other:

.. | eval a="foo" | eval b="some value" | eval a=if(match(b, "kittens"), "bar", a)

So if b contains 'kittens' make a's value equal 'bar', otherwise keep it 'foo'. Is this possible? As it stands now a only ever has a value when b contains 'kittens'.

Thanks,
Kevin

fk319 · ‎07-29-2011

well it seems it should work, so I went to my code to see how I implemented it, I ended up using a case command with the last expression as 1==1.

 eval a=case(match(b, "kittens"), "bar", 1==1,a)

It seems that I had the same issue also, and this was how I was able to get it to work.

View solution in original post

fk319 · ‎07-29-2011

well it seems it should work, so I went to my code to see how I implemented it, I ended up using a case command with the last expression as 1==1.

 eval a=case(match(b, "kittens"), "bar", 1==1,a)

It seems that I had the same issue also, and this was how I was able to get it to work.

kevintelford · ‎07-29-2011

Cool deal, too bad it doesn't work with if as well, but this will do just fine. Thanks!

Reassign (or keep) variable in eval's IF statement

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Reassign (or keep) variable in eval's IF statement

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant