Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to check and set values conditionally but below query is giving error

r_s01
Explorer
‎01-09-2025 11:55 PM

Trying to check and set values conditionally but below query is giving error

Error :-

Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
The search job has failed due to an error. You may be able view the job in the 
 
Query :-
index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | eval ssoType = if(message.incomingRequest.inboundSsoType == "5-KEY", message.incomingRequest.deepLink, message.incomingRequest.inboundSsoType== "HYBRID", message.incomingRequest.inboundSsoType) | stats distinct_count("message.ssoAttributes.EEID") as Count by ssoType, "message.backendCalls{}.responseCode"
Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-10-2025 12:06 AM

Your syntax is indeed wrong. The if() function requires two or three paramters:

1. Conditional expression evaluating to a boolean value

2. A value to be assigned if the expression from p.1 evaluates to true

3. Optionally a valur to be assigned if p.1 yields false (if not provided, empty value will be assigned).

You have a condition in p.1 but your p.2 is also a condition (which, when evaluated will yield a boolean value), not a normal value. Splunk doesn't let you assign boolean value to a field, it can only be used for conditional statements.

It's not clear what you're trying to do. If it's supposed to be additional condition for your if(, you must create a composite condition as your first parameter in the if() function. If you're trying to assign two different fields using a single eval statement and a single if() function - you can't do that.

0 Karma
Reply

r_s01
Explorer
‎01-10-2025 12:37 AM

I am trying to set message.incomingRequest.deepLink values  if(message.incomingRequest.inboundSsoType == "5-KEY",

message.incomingRequest.inboundSsoType== "HYBRID" then set  message.incomingRequest.inboundSsoType itself 

and under as Count by i am adding ssoType so that whatever result we have under same ssoType variable will get in my count.

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | eval ssoType = if(message.incomingRequest.inboundSsoType == "5-KEY", message.incomingRequest.deepLink, message.incomingRequest.inboundSsoType== "HYBRID", message.incomingRequest.inboundSsoType) | stats distinct_count("message.ssoAttributes.EEID") as Count by ssoType, "message.backendCalls{}.responseCode"

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-10-2025 12:51 AM

Wait. The if() function does not work as your typical programmatic if statement.

Normally in programming the if syntax is kinda like this - if (something) then (do something) else (do something else). But in Splunk it's not about _doing_ something. It's a function which yields values.

Notice that the if() is a right-value to an assignment in an eval statement. So with

| eval a=if(conditon,b,c)

You're telling Splunk to assign a value of b or c (depending on the result of the condition) to the field a. There is nothing else you can "do" here. You're just returning the value b or c from the if() function.

In its core it's very similar to the ternary operator used in C programming language:

a = (condition) ? b : c;

This is all about _returning a value_ which might turn out to be one or the other.

From your syntax I suspect you might be trying to something normally done with the case() function - return a value if a specific condition from a given set of conditions is met. So if instead of if() you did

| eval ssoType = case(message.incomingRequest.inboundSsoType == "5-KEY", message.incomingRequest.deepLink, message.incomingRequest.inboundSsoType== "HYBRID", message.incomingRequest.inboundSsoType)

your ssoType will get assigned the value of message.incomingRequest.deepLink field if the inboundSsoType equals "5-KEY". And if it doesn't but the inboundSsoType equals "HYBRID" (technically in this case they can't both be true of course but it's worth remembering that case() returns value for the first condition it matches) then ssoType will get assigned the value of message.incomingRequest.inboundSsoType field. (effectively the "HYBRID" string since we're matching on this).

Is this what you're trying to do?

Reply

r_s01
Explorer
‎01-10-2025 05:26 AM

Tried same approach but nothing is coming under "Statistics" ,  when i am not checking any condition then i am getting below record,  Now if you relate my question with below then you can understand that under 5-key inboundSsoType deep link is coming in response so i just want to replace 5-key string to that deep link.

r_s01_0-1736516012776.png

 



Below is JSON from where i am trying to check condition. 

message: { [-]
     backendCalls: [ [+]
     ]
     deviceInfo: { [+]
     }
     elapsedTime: 210
     exceptionList: [ [+]
     ]
     incomingRequest: { [-]
       deepLink: https://member.uhc.com
       hsidSSOParameters: { [+]
       }
       inboundSsoType: 5-KEY
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...