If statment is not returning value with evaluate a...

steinroardahl · ‎01-03-2018

Hi,
i'am trying to evaluate a tag value like this: eval X=if(tag="NY",_time,"1")
I have trying everything and stuck in the mud. Anybody?

nikita_p · ‎01-04-2018

Hi @steinroardahl,
Is "tag" a field name because eval will work only if it is a field and not a value in your events?

steinroardahl · ‎01-09-2018

Hi, is this true all sow with eventtypes?

mayurr98 · ‎01-03-2018

hey @steinroardahl
I tried below search and it is working perfectly fine:

| eval X=if(tag="NY",_time,"1")

If you are not getting results then try this first

index=your_index tag="NY"

If above search is returning events then your eval should return events else your eval will not return any events.

let me know if this helps you!

elliotproebstel · ‎01-03-2018

That syntax looks accurate. Can you share a couple of sample events and the expected results vs. the current results?

lguinn2 · ‎01-03-2018

I tried this in my own environment and it worked perfectly. Remember that the if function is case-sensitive.
Is it possible that your search is not returning any fields with the "NY" tag?

Also: what @elliotproebstel said

If statment is not returning value with evaluate a "tag" value

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM