Solved: Re: declare a variable in search string

Splunk_U · ‎01-08-2013

I have a search string (given below). Now I want to declare a variable named Os_Type, which based on the source type, will provide me OS Type.

index=os source=Perfmon:LocalLogicalDisk
| where like(counter, "% Free Space")
| stats avg(Value) as "availDiskPct" by host
| eval availDiskPct=round(availDiskPct, 2)

Now I have tried with
eval Os_Type=if($source$==":","WINDOWS","unix")
but it is not giving me the correct result.

Please help me!!!

Ayn · ‎01-08-2013

You're correct in that you should be using eval, but your eval statement looks a bit off. As it is now, "Os_Type" would only get the value "WINDOWS" if the source field is EXACTLY ":". Did you mean that it should CONTAIN ":"? If so, you should do something like

... | eval Os_Type=if(match(source,":"),"WINDOWS","unix")

View solution in original post

Ayn · ‎01-08-2013

You're correct in that you should be using eval, but your eval statement looks a bit off. As it is now, "Os_Type" would only get the value "WINDOWS" if the source field is EXACTLY ":". Did you mean that it should CONTAIN ":"? If so, you should do something like

... | eval Os_Type=if(match(source,":"),"WINDOWS","unix")

muthvin · ‎01-10-2016

After declaring the variable will you be able to use Os_Type in calculating other fieldvalues?

Splunk_U · ‎01-09-2013

Thank you!!!

Ayn · ‎01-09-2013

Something like

index=os source=Perfmon:LocalMainMemory | where like(counter,"% Committed Bytes In Use") | eval Os_Type=if(source=="Perfmon:LocalMainMemory","WINDOWS","Unix") | stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" by host,Os_Type | eval avgMemPct=round(avgMemPct,2) | eval peakMemPct=round(peakMemPct,2)

should do it.

Splunk_U · ‎01-09-2013

tried to find how can we use split by...but did not find luck...can you please tell me the syntax for the same?

Ayn · ‎01-09-2013

Ah, I see now - you're putting your eval after the stats command. The only field output from stats will be the fields that it produces - in your case avgMemPct, peakMemPct and host. So, when you're doing your eval statement at the end, the source field no longer exists. You need to put the eval before your stats command and then do something like splitting by host AND Os_Type in order to get it to show in your results.

Splunk_U · ‎01-09-2013

even if I am trying to search the below mentioned string:

index=os source=Perfmon:LocalMainMemory
| where like(counter,"% Committed Bytes In Use")
| stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" by host
| eval avgMemPct=round(avgMemPct,2)
| eval peakMemPct=round(peakMemPct,2)
| eval Os_Type=if(source=="Perfmon:LocalMainMemory","WINDOWS","Unix")

the result is coming as Unix ...is there any problem with the conditional operator..

Splunk_U · ‎01-09-2013

I meant that : should be present in the source. I tried with what you have suggested...but it is giving me the wrong result.

declare a variable in search string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation