Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: eval if(X,Y,Z) always returns Z whether X matc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval if(X,Y,Z) always returns Z whether X matches or not
I'm trying to do this exact same thing but my search doesn't seem to recognize when Event="mock". It sets the Z value to MedRepoCloneMergeTime, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not ignoring the eval all together.
|eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
When X doesn't match, it also returns Z.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on what you mean by match. In search, Event="mock" will be case insensitive, but in if/where, it will be case sensitive to make it the same, do this:
... |eval MedRepoCloneMergeTime=if(match(Event, "^(?i)mock$"), "NA", MedRepoCloneMergeTime)
Also, maybe you are assuming that Event has your event in it, but it does not, that field is called _raw so perhaps what you really need is this:
... |eval MedRepoCloneMergeTime=if(match(_raw, "(?i)mock"), "NA", MedRepoCloneMergeTime)
It is hard to tell because you did not give us your events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Z is the false statement, so its stating that field:"Event" does not match "mock". Try using a like statement
|eval "newEvent"=if(like(Event, "%mock%"), "true", "false")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That didn't work either.
MedRepoCloneMergeTime and Event are existing fields. It returns Z even if the eval should be true.
Event only has 4 options in my data. Even when I add Event="mock" to the search it returns false.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cblanton this is a very basic scenario which should work fine. Please try the following run anywhere example. When the Event is set to mock it returns NA. Which is the expected behavior.
| makeresults
| eval Event="mock",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)
This makes me think maybe the value in Event is not exactly the same as "mock". Does it have leading/trailing whitespace character? Or does it have a different casing?
Try with match() for regular expression case insensitive match instead of exact match | eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)
Following is a run anywhere example to test this:
| makeresults
| eval Event=" Mock ",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share your full search and data sample?
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
