Solved: If/Then To different Eval Statements

albyva · ‎09-22-2014

I'm trying to have a Splunk Alert kick off an email (to an email script) and depending on the search query it should email Address1 or Address2. How do you I create this type of variable? Should I setup a where statement like | where search=Apples | eval email="address1" |where search=Oranges | eval email="address2" ????

Example:

[search yields Apples] | eval email="address1"

[search yields Oranges] | eval email="address2"

pradeepkumarg · ‎09-22-2014

You can club if and eval as below.

eval email=if(mycondition,"address1","address2")

View solution in original post

somesoni2 · ‎09-22-2014

Try this

| eval email=if(like(BPS,"%Gbps"),"address1","address2")

albyva · ‎09-22-2014

Thank You !!!! 🙂

pradeepkumarg · ‎09-22-2014

You can club if and eval as below.

eval email=if(mycondition,"address1","address2")

albyva · ‎09-22-2014

Can you add a wildcard into mycondition?

I see where if(X,Y,Z) says: This function takes three arguments. The first argument X is a Boolean expression. If X evaluates to TRUE, the result is the second argument Y. Optionally, if X evaluates to FALSE, the result evaluates to the third argument Z.

My problem now is that (X) is something like 123.45 Gbps or 45.67 Mbps. My goal is to have Gbps send email to address1 and everything go to address2.

Example:

| eval email=if(BPS="Gbps","address1","address2")

The problem appears to be that if I say Gbps or even *Gbps in the X field, neither seem to work. It's only when I specify the exact value like 123.45 Gbps does it actually work. So what I need is a wildcard, but that isn't working. Any suggestions???

Thanks

pradeepkumarg · ‎09-22-2014

Yes, you should be able to do it.. You can also try to extract just Gbps and Mbps into a field before the condition and try the comparison on that field.

If/Then To different Eval Statements

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!