Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: with the same search conditions, I cannot make...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
with the same search conditions, I cannot make eval if function to return true...
For some use case, I need to make a new true/false field.
Below condition returns 11 events in my data sample:
| from datamodel:"SomeDataModel.SomeDataSet" |search LocalField1=ABC AND CalculatedField2!=0
But if I write it with Eval and if functions like below, it returns no event:
| from datamodel:"SomeDataModel.SomeDataSet" |eval truefalseField1=if((LocalField1=ABC AND CalculatedField2!=0),true,false)
|search truefalseField1=true
How can I make the 2nd search also return same (11) events? Could you please help?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The values true and false are not recognized values. You have to use either the strings values "true" and "false" or use numbers 1 and 0.
For example
| from datamodel:"SomeDataModel.SomeDataSet" |eval truefalseField1=if((LocalField1=ABC AND CalculatedField2!=0),1,0) | search truefalseField1=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
found reason why. It is that only when in eval statement, the CalculatedField2 failed to return any value. but in the first statement, the calculated field worked fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is actually splunk-enterprise question, but after I click the Splunk Enterprise button and then click the “Post Your Question” button, it gives me error: The following topics are not present in the system, and you don't have permissions to create new ones: splunk-enterprise
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you tried putting everything in quotations that isn't a number?
| from datamodel:"SomeDataModel.SomeDataSet" |eval truefalseField1=if((LocalField1="ABC" AND CalculatedField2!=0),"true","false")
|search truefalseField1="true"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
