Splunk Search

Why does is the "eval if" statement in my search not working as expected?

rusty009
Path Finder

I am trying to run a search which sets a new value depending on another field value. Below is my serach:

index = myindex | rename
clientRequest.uri as uri | eval uri=
if("edgeRequest.httpMethod"==POST,"value1","value2")
| stats count by uri

The IF statement never seems to fall true. I thought it may be down to the . so I renamed the field to 'method', but still no luck. I also have put both the field & the value of the field (POST) in quotes and it makes no difference. When I run the below search, it works as expected,

index = myindex
"edgeRequest.httpMethod"=POST

it's just when I put it in an if statement it fails. How do I troubleshoot this ?

0 Karma
1 Solution

rusty009
Path Finder

so,

it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.

index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri

View solution in original post

0 Karma

rusty009
Path Finder

so,

it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.

index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri

0 Karma

ryandg
Communicator

This is because of the dreaded period.

Do this:

index = myindex | rename
clientRequest.uri as uri |
 |rename edgeRequest.httpMethod AS "edgeRequest_httpMethod"
|eval uri=
if(edgeRequest_httpMethod==POST,"value1","value2")
| stats count by uri
0 Karma

javiergn
SplunkTrust
SplunkTrust

Try with single quotes when comparing the two field values:

index = myindex 
| rename clientRequest.uri as uri 
| eval uri=if('edgeRequest.httpMethod'==POST, "value1", "value2")
| stats count by uri
0 Karma

javiergn
SplunkTrust
SplunkTrust

If you could provide a couple of samples I could try to replicate at home.
Simply run something like this:

 index = myindex 
| rename clientRequest.uri as uri 
| eval uri=if('edgeRequest.httpMethod'==POST, "value1", "value2")
| table uri, POST, edgeRequest.httpMethod

And provide a few samples.

0 Karma

rusty009
Path Finder

Thanks, but this didn't work.When I rename edgeRequest.httpMethod to method I get the same issue, which to me means the field name has nothing to do with the issue, I think it's the value itself. Would you know how I could troubleshoot a search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...