Hi all, I am trying to run this simple search:
SourceType=FooMonitoring |eval isSuccess=if(Test.TestIsSuccessful=="true","Yes","No") | table isSuccess Test.TestIsSuccessful
I am getting the following results: (can't post an image...)
isSuccess Test.TestIsSuccessful
--------------------------------------
No true
No true
No true
No true
No true
No true
No true
I am expecting all the isSuccess values to be "Yes" but no matter what I do the if expression does not evaluate to true. Tried different ways, tried removing the double quotes around the "true" part with no luck.
Note that the raw data is json, but I didn't encounter any problems with it so far and I don't know if it is related or not...
I am using splunk 6
Please help me figure out what am I doing wrong.
Thanks!
Unfortunately, the dot (.
) in eval
expression syntax means "string concatenate". JSON kv parsing creates variables with a dot in their name, e.g., Test.TestIsSuccessful
. However, eval
parses that as a concatenation of two variables, Test
and TestIsSuccessful
.
To get around this, quote the variable name with single-quotes, so that the dot is not interpreted as the concatenation operator:
... | eval isSuccess=if('Test.TestIsSuccessful'=="true","Yes","No") | ...
Unfortunately, the dot (.
) in eval
expression syntax means "string concatenate". JSON kv parsing creates variables with a dot in their name, e.g., Test.TestIsSuccessful
. However, eval
parses that as a concatenation of two variables, Test
and TestIsSuccessful
.
To get around this, quote the variable name with single-quotes, so that the dot is not interpreted as the concatenation operator:
... | eval isSuccess=if('Test.TestIsSuccessful'=="true","Yes","No") | ...