Re: if statement not returning expected results

SplunkySplunk · ‎09-29-2023

Hello
I'm trying to count events by field called "UserAgent"
If im searching for the events without any calculated field im getting results from different UserAgents
But once im using eval, I don't get the expected results
For example:
I've tried this eval and im getting only "android" also im searching for "ios" only with

"ContextData.UserAgent"=*ios*

as part of my query

| eval UserAgent = if("ContextData.UserAgent"="*ios*","ios","android")

what im doing wrong ?

ITWhisperer · ‎09-29-2023

A couple of things wrong - field names should be in single quotes not double quotes when on the right hand side of the evaluation - equalities don't work with *, that's just for search filters, try match()

| eval UserAgent = if(match('ContextData.UserAgent',"ios"),"ios","android")

sarit_s · ‎09-30-2023

Thanks !

gcusello · ‎09-29-2023

Hi @SplunkySplunk,

the issue is that sometimes, having special chars (as dot) in the field names the eval command fails, use rename and it will work:

| rename ContextData.UserAgent AS ContextData_UserAgent
| eval UserAgent = if("ContextData_UserAgent"="*ios*","ios","android")

Ciao.

Giuseppe

Why is statement not returning expected results when counting events by "UserAgent" field?

count

eval

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?