Splunk Search

eval if(X,Y,Z) always returns Z whether X matches or not

cblanton
Communicator

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/ConditionalFunctions#if.28X.2CY.2...

I'm trying to do this exact same thing but my search doesn't seem to recognize when Event="mock". It sets the Z value to MedRepoCloneMergeTime, regardless. I've tried changing the Z value and that changes, but when the X matches, it doesn't return Y, only Z. So it is returning Z and not ignoring the eval all together.

|eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)

When X doesn't match, it also returns Z.

Tags (2)
0 Karma

woodcock
Esteemed Legend

It depends on what you mean by match. In search, Event="mock" will be case insensitive, but in if/where, it will be case sensitive to make it the same, do this:

... |eval MedRepoCloneMergeTime=if(match(Event, "^(?i)mock$"), "NA", MedRepoCloneMergeTime)

Also, maybe you are assuming that Event has your event in it, but it does not, that field is called _raw so perhaps what you really need is this:

... |eval MedRepoCloneMergeTime=if(match(_raw, "(?i)mock"), "NA", MedRepoCloneMergeTime)

It is hard to tell because you did not give us your events.

0 Karma

mmqt
Path Finder

Z is the false statement, so its stating that field:"Event" does not match "mock". Try using a like statement

|eval "newEvent"=if(like(Event, "%mock%"), "true", "false")

cblanton
Communicator

That didn't work either.

MedRepoCloneMergeTime and Event are existing fields. It returns Z even if the eval should be true.

Event only has 4 options in my data. Even when I add Event="mock" to the search it returns false.

0 Karma

niketn
Legend

@cblanton this is a very basic scenario which should work fine. Please try the following run anywhere example. When the Event is set to mock it returns NA. Which is the expected behavior.

| makeresults 
| eval Event="mock",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(Event="mock", "NA", MedRepoCloneMergeTime)

This makes me think maybe the value in Event is not exactly the same as "mock". Does it have leading/trailing whitespace character? Or does it have a different casing?

Try with match() for regular expression case insensitive match instead of exact match | eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)

Following is a run anywhere example to test this:

| makeresults 
| eval Event=" Mock ",MedRepoCloneMergeTime=strftime(now(),"%c")
| eval MedRepoCloneMergeTime=if(match(Event,"(?i)mock"), "NA", MedRepoCloneMergeTime)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

can you share your full search and data sample?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...