Splunk Search

Why is my eval if() not working consistantly

rrustong
Explorer

I'm having a difficult time getting what I believe is a simple eval command to work as I would expect. What I'm trying to accomplish is to convert a 1 or 0 into Yes or No respectively. I'm able to do so just fine on one field, but 2 others are giving me a problem. Here's the search I'm running:

| rest /servicesNS/-/-/saved/searches 
| search action.myAction=1 
| foreach action.myAction.param.myParam1 action.myAction.param.myParam2 is_scheduled [eval <<FIELD>>=if(isnull(<<FIELD>>),<<FIELD>>,if(<<FIELD>>=1,"Yes","No"))]
| rename action.myAction.param.myParam1 as param1, action.myAction.param.myParam2 as param2</pre>

I had to add the isnull check as the 2 param fields do not always have data in them and the search would not run without the isnull. This search does result in Yes/No values in the is_scheduled field, but the param fields remain unchanged. To my knowledge, Splunk is treating them as numbers as they are right-justified in the results table.

Here is some sample output from the above search:

title, param1, param2, is_scheduled
alert1, , yes
alert2, 1, 1, Yes
alert3, 1, 0, Yes
alert4, 0, 0, Yes

I have also tried adding another field to test whether the data is a string, number or null, but end up with very strange results from that. I added the following lines between the search and foreach lines to get the results below:

| eval isNumber=if(isNum(action.myAction.param.myParam1),"yes","no")
| eval isString=if(isStr(action.myAction.param.myParam1),"yes","no")
| eval isNull=if(isNull(action.myAction.param.myParam1),"yes","no")

Results:
title, param1, param2, is_scheduled, isNumber, isString, isNull
alert1, , yes, no, no, yes
alert2, 1, 1, Yes, no, no, yes
alert3, 1, 0, Yes, no, no, yes
alert4, 0, 0, Yes, no, no, yes

I have copied and pasted the field name everywhere within the command to make sure I haven't typo'd anything and I have tried renaming the fields prior to the eval command and using the renamed field instead of the original, but that changes nothing. I have also tried doing it outside a foreach loop, but still get the same results.

What am I missing? Is there a better way to accomplish what I'm trying to do?

0 Karma
1 Solution

elliotproebstel
Champion

I know you say you tried renaming the field before the eval, but I suspect that there might have been an error when you were testing that. Compare the following two:
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | foreach test.testing1.testing test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
and
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | rename test.test1.testing AS test1 | foreach test1 test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]

When I run these, the first shows this - which matches your test results (note that the value of the first variable remains unchanged):

count  test.test1.testing  test2   test3
0 thing other renamed

and the second (which renames the field name test.test1.testing to test1 before the foreach and eval loop) gives me the desired result:

count  test1   test2   test3
0 renamed other renamed

View solution in original post

elliotproebstel
Champion

I know you say you tried renaming the field before the eval, but I suspect that there might have been an error when you were testing that. Compare the following two:
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | foreach test.testing1.testing test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
and
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | rename test.test1.testing AS test1 | foreach test1 test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]

When I run these, the first shows this - which matches your test results (note that the value of the first variable remains unchanged):

count  test.test1.testing  test2   test3
0 thing other renamed

and the second (which renames the field name test.test1.testing to test1 before the foreach and eval loop) gives me the desired result:

count  test1   test2   test3
0 renamed other renamed

rrustong
Explorer

You are correct. I know I did test with renaming before the eval, but must have done something wrong as it's working now.

Thanks!

0 Karma

elliotproebstel
Champion

Glad I could help! I know how frustrating it is to test all possible error conditions for complex searches. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...