Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why won't my multiple "eval if match" expressions work?

jsven7
Communicator
‎10-16-2015 10:21 AM

Hi

I'm trying to check a field for an OS. If Windows, then replace the entire field with "Windows". If mac is found, then replace the entire field with "Mac" Etc. It seems like only the second match works. Anyone know why?

Current Search:

...
| eval OS=if(match(User_Agent,"mac"),"Macintosh",User_Agent)
| eval OS=if(match(User_Agent,"windows"),"Windows",User_Agent)

Sample Data:

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; PRU_IE; rv:11.0) like Gecko
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18
Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2015 11:19 AM

You're writing the OS field in the second eval, regardless of a match or not: Either with "Windows" or with User_Agent. Instead, make the if() preserve the current value like this:

...
| eval OS=if(match(User_Agent,"(?i)mac"),"Macintosh",OS)
| eval OS=if(match(User_Agent,"(?i)windows"),"Windows",OS)

Note that I made the regular expressions case insensitive. Additionally, be careful about accidentally matching other parts of the string. I'm pretty sure the web already has working examples of how to regex out the OS from a user agent, maybe even on splunkbase.

View solution in original post

Reply
Solved! Jump to solution

DeronJensen
Explorer
‎10-16-2015 11:23 AM

They are both working, but your second eval is overwriting the OS value of your first.

Change the second to:

| eval OS=if(match(User_Agent,"windows"),"Windows",OS)

Reply
Solved! Jump to solution

jsven7
Communicator
‎10-16-2015 12:33 PM

Everyone said, "your overwriting". For some reason when I read your "you're overwriting" the light bulb turned on. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2015 11:19 AM

You're writing the OS field in the second eval, regardless of a match or not: Either with "Windows" or with User_Agent. Instead, make the if() preserve the current value like this:

...
| eval OS=if(match(User_Agent,"(?i)mac"),"Macintosh",OS)
| eval OS=if(match(User_Agent,"(?i)windows"),"Windows",OS)

Note that I made the regular expressions case insensitive. Additionally, be careful about accidentally matching other parts of the string. I'm pretty sure the web already has working examples of how to regex out the OS from a user agent, maybe even on splunkbase.

Reply
Solved! Jump to solution

jsven7
Communicator
‎10-16-2015 12:30 PM

Ok. I understand that I'm having a logic issue. I don't see it though. This example works as I want to use it for multiple matches. Appreciate it.

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-16-2015 12:34 PM

I understand the bad overwrite now. Thanks.

Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-16-2015 12:09 PM

BOOM ! This is the answer.

Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎10-16-2015 11:18 AM

It 's looks like this?

ex.)
User_Agent:"mac"

| eval OS=if(match(User_Agent,"mac"),"Macintosh",User_Agent)
OS:Macintosh
| eval OS=if(match(User_Agent,"windows"),"Windows",User_Agent)
OS:mac

Try this!

your search |eval OS = case(match(User_Agent,"mac"), "Macintosh", match(User_Agent,"windows"), "Windows",1==1,User_Agent)

Reply
Solved! Jump to solution

jsven7
Communicator
‎10-16-2015 12:32 PM

Thank you HiroshiSatoh. This works. Only thing is that I tried to copy-cat the logic for multiple searches and I ran into issues. I'm new to Splunk!

0 Karma
Reply
Solved! Jump to solution

becksyboy
Communicator
‎11-22-2018 02:53 AM

This works for me, thanks!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-16-2015 10:54 AM

You're matching on the field User_Agent for patterns like "mac" and windows". So I ask, does the User_Agent field exist on "mac" data? If so, can you please post example?

or you can show us what matches this search maybe?
...|dedup User_Agent | table User_Agent

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-16-2015 11:50 AM

Sorry I don't understand your question. Are you asking if there is a User_Agent field that contains the literals, 'mac'? If so yes.

Below is a field where with the above code I expect it to be 'Macintosh' because of the literal 'mac' contained in it.
junospulseipad/iphone mozilla/5.0 (ipad; cpu os 9_0_2 like mac os x) applewebkit/601.1.46 (khtml, like gecko) mobile/13a452 junospulse(version-5.0.8.50589)ipad/iphone

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-16-2015 10:51 AM

Did you try capitalizing the m and w of mac and windows in your match function ?

Reply
Solved! Jump to solution

jsven7
Communicator
‎10-16-2015 11:42 AM

Sorry, the sample data is raw. In the code I had the sample data all lowercased.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎10-16-2015 10:56 AM

That was my first thought, but he says windows match is working so I asked for a list of User_Agent values.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...