Solved: Why won't If statement evaluate as true?

anjuliwyles · ‎01-10-2023

When I place event.code into an if statement, it will not evaluate as true

Currently I have this code:

index = windows-security event.code IN (4624)
| eval Success=if(event.code = "4624", 1, 0)
| stats count by Success

Success always evaluates to 0. I have tried using

match(event.code, "4624")

match(event.code, '4624')

match(event.code, ".+")

like(event.code, "4624")

like(event.code, '4624')

I even tried event.code = event.code

Always 0.

richgalloway · ‎01-10-2023

Since event.code probably is an integer have you tried

| eval Success=if(event.code = 4624, 1, 0)

It's possible Splunk is struggling with the field name. Try renaming it before the conditional.

| rename event.* as *
| eval Success = if(code=4624, 1, 0)

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-10-2023

Since event.code probably is an integer have you tried

| eval Success=if(event.code = 4624, 1, 0)

It's possible Splunk is struggling with the field name. Try renaming it before the conditional.

| rename event.* as *
| eval Success = if(code=4624, 1, 0)

---
If this reply helps you, Karma would be appreciated.

anjuliwyles · ‎01-10-2023

Renaming the field worked! Thank you

Why won't If statement evaluate as true?