Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If Statement vs SearchMatch

IRHM73
Motivator
‎03-16-2016 07:00 AM

Hi, I wonder whether someone may be able to help me please.

I'm starting to get to grips with the 'If' statements and understand the basics around these. But I'm using an existing query which contains the line as shown below.

I would understand this if it didn't have the 1 at the end of the statement, but I just wondered whether someone could explain what the 1 actually does. 

|eval Interstitpage=if('detail.journey'="Interstitial",1, 0 )

In addition could someone tell me please would it more efficient to use the "searchmatch" I've read about, and if, could someone possibly explain I may incorporate it into this example.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2016 07:24 AM

The eval statement is creating a pseudo-boolean variable and setting its value. If the detail.journey field has the value "Interstitial" then Interstitpage is set to 1 to represent 'true'; otherwise it is set to 0 to represent 'false'.
I've not used the searchmatch function in part because it is poorly documented. Chatter about it on Answers, however, indicate including a field name in searchmatch can be problematic.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2016 07:24 AM

The eval statement is creating a pseudo-boolean variable and setting its value. If the detail.journey field has the value "Interstitial" then Interstitpage is set to 1 to represent 'true'; otherwise it is set to 0 to represent 'false'.
I've not used the searchmatch function in part because it is poorly documented. Chatter about it on Answers, however, indicate including a field name in searchmatch can be problematic.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

IRHM73
Motivator
‎03-16-2016 07:58 AM

Hi @richgalloway, thank you for taking the time to reply to my post, so in essence it's looking to see if a value exists?

So if I've undertsood it correctly in another example I have here:

eval NewUserOptedOut=if(('detail.digital'="false") AND ('detail.journey'="Interstitial"),1, 0 )

Am I correct in saying that if both "detail.digitial="false AND "detail.journey"=Intersitial" then set the result to "True", if not set to "False"?

Many thanks and kind Regards

Chris

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2016 08:06 AM

Yes, you are correct, except that NewUserOptedOut will not be a true Boolean variable. That is, a statement like if (NewUserOptedOut, foo, bar) won't work. It would have to be if (NewUserOptedOut==1, foo, bar).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎03-16-2016 08:12 AM

Hi, so it's clearly a little different to where there is only one field i.e. one variable?

Kind Regards

Chris

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2016 08:29 AM

I don't understand your question, Chris.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎03-16-2016 08:37 AM

Hi, my apologies. I was just a little confused by your reply where you highlighted that "NewUserOptedOut" would not be a true boolean. I guess I put 2 and 2 together and came up with 5.

Is there any chance you could elaborate on your answer please.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2016 11:06 AM

A true Boolean value holds the result of an assertion (a yes/no test). It's actual content is known only to the "operating system". Booleans cannot be used with an [in]equality operator because we don't know what to compare them to.
Many programming languages, like C, don't use true Booleans. They assign numeric values to "true" and "false" which allows for constructs such as 'if foo == 0' (a statement which is true if foo is false).
Before we get too far off-track, the original eval command is converting a Boolean expression ('detail.journey'="Interstitial") into a numeric expression (1 or 0) for some later use. Splunk restricts how Booleans can be used in some commands, but converting the Boolean to an integer removes those restrictions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎03-16-2016 11:13 PM

Hi, thank you for coming back to me with this. This explanation helps a great deal, so thank you for taking the time to put it together.

Kind Regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...