Splunk Search

Eval If Statement

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

Although I've been using Splunk for a few months now, I'm still coming against statements I've not see before.

One of which is this | eval verifiedButBounced=if('detail.verifiedButBounced'!="", 'detail.verifiedButBounced.count',0)

Could someone possibly explain to me what this statement is actually doing and is there a more efficient way of writing this.

Many thanks and kind regards

Chris

1 Solution

dwaddle
SplunkTrust
SplunkTrust

So the eval command's if works just like the IF macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the coalesce function like so:

| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0)

The trickery here is the use of both " and '. In eval, a . (dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string detail.verifiedButBounced do you mean a field named detail.verifiedButBounced or do you mean detail concatenated with verifiedButBounced? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:

If the field named detail.verifiedButBounced is not equal to the string "" then set the new field verifiedButBounced equal to the value of detail.verifiedButBounced. Otherwise, set the value of the new field verifiedButBounced equal to 0.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

So the eval command's if works just like the IF macro in Excel. The idea here the search is trying to "zero-fill" a field if the contents of the field is the empty string. This is a fairly common idiom, and can sometimes be replaced with the coalesce function like so:

| eval verifiedButBounced = coalesce('detail.verifiedButBounced',0)

The trickery here is the use of both " and '. In eval, a . (dot) character can be used to mean string concatenation. It can also be used in a field name, like if a field comes from JSON data. So if you have the string detail.verifiedButBounced do you mean a field named detail.verifiedButBounced or do you mean detail concatenated with verifiedButBounced? It is ambiguous! The eval command uses a single-quote around a field name to "escape" otherwise special characters within that field name. Double quotes are used to represent static strings. So your original eval could be expressed as:

If the field named detail.verifiedButBounced is not equal to the string "" then set the new field verifiedButBounced equal to the value of detail.verifiedButBounced. Otherwise, set the value of the new field verifiedButBounced equal to 0.

IRHM73
Motivator

Hi @dwaddle, for confirmation the "detail.verifiedButBounced" is the name of the field.

Thank you very much for the confirmation on the steps the statement is taking, it's very useful and will certainly help in the future.

Kind Regards

Chris

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...