Splunk Search

If statment is not returning value with evaluate a "tag" value

steinroardahl
Observer

Hi,
i'am trying to evaluate a tag value like this: eval X=if(tag="NY",_time,"1")
I have trying everything and stuck in the mud. Anybody?

Tags (1)
0 Karma

nikita_p
Contributor

Hi @steinroardahl,
Is "tag" a field name because eval will work only if it is a field and not a value in your events?

0 Karma

steinroardahl
Observer

Hi, is this true all sow with eventtypes?

0 Karma

mayurr98
Super Champion

hey @steinroardahl
I tried below search and it is working perfectly fine:

| eval X=if(tag="NY",_time,"1")

If you are not getting results then try this first

index=your_index tag="NY"

If above search is returning events then your eval should return events else your eval will not return any events.

let me know if this helps you!

0 Karma

elliotproebstel
Champion

That syntax looks accurate. Can you share a couple of sample events and the expected results vs. the current results?

0 Karma

lguinn2
Legend

I tried this in my own environment and it worked perfectly. Remember that the if function is case-sensitive.
Is it possible that your search is not returning any fields with the "NY" tag?

Also: what @elliotproebstel said

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...