Splunk Search

EVAL for ELSE IF condition

davidcraven02
Communicator

My logic for my field "Action" is below, but because there is different else conditions I cannot write an eval do achieve the below.

if (Location="Varonis" AND (like(Path,"%Hosting%")
then Status=Action Required

else if(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus=null )
then Status=Action Required

else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required

else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required

0 Karma

aniketsamudra
Engager

Having a similar issue,

| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403"),(like('thrown.extendedStackTrace',"%404%"),"404"),"###ERROR####")


But getting error as -->

Error in 'EvalCommand': The expression is malformed. Expected ).
 




0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Brackets in the wrong place and it looks like the else part of the first if should start with another if

| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403", if(like('thrown.extendedStackTrace',"%404%"),"404","###ERROR####"))
0 Karma

aniketsamudra
Engager

Got it resolved.. corrected one bracket

Thank You so much for the pointer on 'if' required everytime

0 Karma

aniketsamudra
Engager

Nope!

Getting error as 

Error in 'EvalCommand': The expression is malformed. Expected ).
 
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @aniketsamudra 

You should use case statement like below;

| eval Test=case(like('thrown.extendedStackTrace',"%403%"),"403", like('thrown.extendedStackTrace',"%404%"),"404",1=1,"###ERROR####")

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

493669
Super Champion

can you try below:

...| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null" OR DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required",1=1,"Action NOT Required")

I have combined two conditions

0 Karma

mayurr98
Super Champion

hey try this

 <your_base_query> 
| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null")),"Action Required",(Location="Varonis" AND (DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required","Action NOT Required")

I hope this helps you!

0 Karma

mayurr98
Super Champion

hey @davidcraven02
you need to put null in "null" in order to make it work.
try my search!

0 Karma

nickhills
Ultra Champion

The last two statements look identical, so assuming there are 3 statements:

Maybe case would be more useful:

...|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required",(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")
If my comment helps, please give it a thumbs up!

davidcraven02
Communicator

Thank you , this mostly works, the only issue is that for NULL values in DayBackUpStatus that exist within Varonis are not getting picked up as action required.

0 Karma

nickhills
Ultra Champion

sorry sloppy copy and paste on my part.
null should be double quoted - or you could use isnull()

If my comment helps, please give it a thumbs up!
0 Karma

davidcraven02
Communicator

This didnt work, the query below his doesnt pick up null values and when I use isnull() it makes all the status column equal 'Action Required' for all

|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",
(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required", (Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")
0 Karma

nickhills
Ultra Champion

do the fields contain the word null, or are they empty?

if empty, could you try MonitoringStatus!=*

If my comment helps, please give it a thumbs up!
0 Karma

micahkemp
Champion

Consider the case function.

Example from the doc:

eval description=case(error ==404, "Not found", error == 500,
"Internal Server Error", error == 200, "OK")

Though your example looks like it could be done in a single if, using OR to join the clauses since they all have the same return value of Action Required.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...