Re: if statement not returning expected results

SplunkySplunk · ‎09-29-2023

Hello
I'm trying to count events by field called "UserAgent"
If im searching for the events without any calculated field im getting results from different UserAgents
But once im using eval, I don't get the expected results
For example:
I've tried this eval and im getting only "android" also im searching for "ios" only with

"ContextData.UserAgent"=*ios*

as part of my query

| eval UserAgent = if("ContextData.UserAgent"="*ios*","ios","android")

what im doing wrong ?

ITWhisperer · ‎09-29-2023

A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try match()

| eval UserAgent = if(match('ContextData.UserAgent',"ios"),"ios","android")

sarit_s · ‎09-30-2023

Thanks !

gcusello · ‎09-29-2023

Hi @SplunkySplunk,

the issue is that sometimes, having special chars (as dot) in the field names the eval command fails, use rename and it will work:

| rename ContextData.UserAgent AS ContextData_UserAgent
| eval UserAgent = if("ContextData_UserAgent"="*ios*","ios","android")

Ciao.

Giuseppe

Why is statement not returning expected results when counting events by "UserAgent" field?

count

eval

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Are you a member of the Splunk Community?