Solved: how to assign boolean result within eval?

sfatnass · ‎12-22-2016

hi,

I worked last week with Splunk 6.3.3 and upgraded to the latest version 6.5.

I detected a problem with a search, when i try to assign a boolean result using eval function.
on the Splunk 6.3.3, it worked but not with 6.5

this is my request :

|stats count |fields - count |eval country = "FR;DE;GE;AN;US" |eval country = split(country,";") |mvexpand country |eval tokenValue = 1 | eval toto = if(tokenValue ==1, country="FR", country!="FR")

the tokenValue get a dynamic value 0 or 1.
how can i search or filter my events based on tokenValue?

here's a picture of the error message.

thx

richgalloway · ‎12-22-2016

How about this?

|stats count |fields - count |eval country = "FR;DE;GE;AN;US" |eval country = split(country,";") |mvexpand country |eval tokenValue = 1 | eval toto = if(tokenValue ==1, if(country="FR",1,0), if(country!="FR",1,0))

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-22-2016

How about this?

|stats count |fields - count |eval country = "FR;DE;GE;AN;US" |eval country = split(country,";") |mvexpand country |eval tokenValue = 1 | eval toto = if(tokenValue ==1, if(country="FR",1,0), if(country!="FR",1,0))

---
If this reply helps you, Karma would be appreciated.

how to assign boolean result within eval?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!