Trying to create a new calculated field but the Ev...

trobknight7 · ‎08-14-2024

Hi there, Splunk Community! First time poster! Whoo!

Let me outline the situation, goal, and problem faced briefly:
I have a field in a dataset called `detail.accountId` that is the number of an AWS Account ID. My goal is to create a calculated field called "AccountName" for each `detail.accountId` ID that would theoretically look something like this:
if(detail.accountId == "1234567890", "AccountX", "UnknownAccountName")

The problem I'm facing is the eval expression is always coming out False, resulting in the AccountName field column to always display"UnknownAccountName". No matter if I use tostring(detail.accountId), trim(detail.accountId), match(detail.accountId), etc in the eval expression comparison, it's always false when the value "1234567890" definitely exists as the detail.accountId.

Am I doing something incorrectly here that may be obvious to someone?

Thank you very much for the help!

Tyler

ITWhisperer · ‎08-14-2024

Since the field name has a dot in it, which is used as a string concatenator, have you tried putting the field name in single quotes?

if('detail.accountId' == "1234567890", "AccountX", "UnknownAccountName")

Trying to create a new calculated field but the Eval expression is not evaluating correctly

eval

fields

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?