- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does is the "eval if" statement in my search n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to run a search which sets a new value depending on another field value. Below is my serach:
index = myindex | rename
clientRequest.uri as uri | eval uri=
if("edgeRequest.httpMethod"==POST,"value1","value2")
| stats count by uri
The IF statement never seems to fall true. I thought it may be down to the . so I renamed the field to 'method', but still no luck. I also have put both the field & the value of the field (POST) in quotes and it makes no difference. When I run the below search, it works as expected,
index = myindex
"edgeRequest.httpMethod"=POST
it's just when I put it in an if statement it fails. How do I troubleshoot this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so,
it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.
index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so,
it turns out I was making two mistakes, I had to put the field name in single quotes and the value in double quotes which seemed to do the trick.
index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'=="POST", "value1", "value2")
| stats count by uri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because of the dreaded period.
Do this:
index = myindex | rename
clientRequest.uri as uri |
|rename edgeRequest.httpMethod AS "edgeRequest_httpMethod"
|eval uri=
if(edgeRequest_httpMethod==POST,"value1","value2")
| stats count by uri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with single quotes when comparing the two field values:
index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'==POST, "value1", "value2")
| stats count by uri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you could provide a couple of samples I could try to replicate at home.
Simply run something like this:
index = myindex
| rename clientRequest.uri as uri
| eval uri=if('edgeRequest.httpMethod'==POST, "value1", "value2")
| table uri, POST, edgeRequest.httpMethod
And provide a few samples.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but this didn't work.When I rename edgeRequest.httpMethod to method I get the same issue, which to me means the field name has nothing to do with the issue, I think it's the value itself. Would you know how I could troubleshoot a search?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
