Splunk Search

Why is my eval command with multiple if conditions not working?

SumanPalisetty
Path Finder

Hi,

I have used eval with multiple if conditions and it's failing. Kindly help.

 

source = "2access_30DAY.log"
 | eval new_field = if(status==200, "I love you Suman", "I love you Cloeh", if(status==403, "Suman Cloeh", "Cloeh Suman"))
 | table status, new_field

 

eval3.pngRegards

Suman P. 

 

Labels (1)
Tags (1)
0 Karma

starcher
Influencer

If you have multiple conditions use case not if. Much easer just ensure the last condition is 1==1,"VALUE" if you want a default when nothing before it matches.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @SumanPalisetty ... try the Case Command.. 

| makeresults |eval status="200" 
 | eval new_field = case(status==200, "I love you Suman", status==403, "I love you Cloeh",1=1,"Cloeh Suman")
 | table status, new_field

its working perfect.. case-command.png 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

SumanPalisetty
Path Finder

Hi @inventsekar ,

I want to know what my mistake is, you all being experienced I watt to know where I am making mistake so that i will learn and never repeat it. Thank you.

Regards

Suman P.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @SumanPalisetty .. the if condition format 

if condition is true,

then do this. 

or

"do the other"

so, in your if condition.. if status is 200, then suman, .. or, then one more if condition..  like this one:

| makeresults |eval status="200"
 | eval new_field = if(status==200, "Suman", if(status==403, "Cloeh", "not Suman and Cloeh"))
 | table status, new_field

 splunk-if-condition.png

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

SumanPalisetty
Path Finder

Hi @inventsekar ,

Why do we need to add makeresults? Also why do we need to multiple eval commands?

Regards

Suman P.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @SumanPalisetty 

on your splunk environment, when you run this, 

source = "2access_30DAY.log"

splunk will get the "2access_30DAY.log" log and then the "status" will be analyzed inside the if condition. 

 

but, on my splunk environment, as i dont have the "2access_30DAY.log" log in my system, i should create a temporary variable with eval status="200"... with this i will have a log event and then i can run the if condition.  hope you understood now.. let me know if any questions.. as the last reply was working perfectly, please accept it as a solution, so that this question will be moved to unanswered to "answered". thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your mistake is in the if function - you have more than 3 parameters - have another look at the documentation

Comparison and Conditional functions - Splunk Documentation

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...