Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does is the "eval if" statement in my search not working as expected?

rusty009
Path Finder
‎04-15-2016 06:00 AM

I am trying to run a search which sets a new value depending on another field value. Below is my serach:

index = myindex | rename
clientRequest.uri as uri | eval uri=
if("edgeRequest.httpMethod"==POST,"value1","value2")
| stats count by uri

The IF statement never seems to fall true. I thought it may be down to the . so I renamed the field to 'method', but still no luck. I also have put both the field & the value of the field (POST) in quotes and it makes no difference. When I run the below search, it works as expected,

index = myindex
"edgeRequest.httpMethod"=POST

it's just when I put it in an if statement it fails. How do I troubleshoot this ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rusty009
Path Finder
‎04-16-2016 05:23 AM

so,

it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.

index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rusty009
Path Finder
‎04-16-2016 05:23 AM

so,

it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.

index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri

0 Karma
Reply
Solved! Jump to solution

ryandg
Communicator
‎04-15-2016 12:14 PM

This is because of the dreaded period.

Do this:

index = myindex | rename
clientRequest.uri as uri |
 |rename edgeRequest.httpMethod AS "edgeRequest_httpMethod"
|eval uri=
if(edgeRequest_httpMethod==POST,"value1","value2")
| stats count by uri
0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-15-2016 06:04 AM

Try with single quotes when comparing the two field values:

index = myindex 
| rename clientRequest.uri as uri 
| eval uri=if('edgeRequest.httpMethod'==POST, "value1", "value2")
| stats count by uri
0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-15-2016 06:53 AM

If you could provide a couple of samples I could try to replicate at home.
Simply run something like this:

 index = myindex 
| rename clientRequest.uri as uri 
| eval uri=if('edgeRequest.httpMethod'==POST, "value1", "value2")
| table uri, POST, edgeRequest.httpMethod

And provide a few samples.

0 Karma
Reply
Solved! Jump to solution

rusty009
Path Finder
‎04-15-2016 06:29 AM

Thanks, but this didn't work.When I rename edgeRequest.httpMethod to method I get the same issue, which to me means the field name has nothing to do with the issue, I think it's the value itself. Would you know how I could troubleshoot a search?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...