Solved: Reassign (or keep) variable in eval's IF statement

kevintelford · ‎07-29-2011

I have two variables and based on one would like to possible change the value of the other:

.. | eval a="foo" | eval b="some value" | eval a=if(match(b, "kittens"), "bar", a)

So if b contains 'kittens' make a's value equal 'bar', otherwise keep it 'foo'. Is this possible? As it stands now a only ever has a value when b contains 'kittens'.

Thanks,
Kevin

fk319 · ‎07-29-2011

well it seems it should work, so I went to my code to see how I implemented it, I ended up using a case command with the last expression as 1==1.

 eval a=case(match(b, "kittens"), "bar", 1==1,a)

It seems that I had the same issue also, and this was how I was able to get it to work.

View solution in original post

fk319 · ‎07-29-2011

well it seems it should work, so I went to my code to see how I implemented it, I ended up using a case command with the last expression as 1==1.

 eval a=case(match(b, "kittens"), "bar", 1==1,a)

It seems that I had the same issue also, and this was how I was able to get it to work.

kevintelford · ‎07-29-2011

Cool deal, too bad it doesn't work with if as well, but this will do just fine. Thanks!

Reassign (or keep) variable in eval's IF statement

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

Reassign (or keep) variable in eval's IF statement

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition