- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- EVAL for ELSE IF condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EVAL for ELSE IF condition
My logic for my field "Action" is below, but because there is different else conditions I cannot write an eval do achieve the below.
if (Location="Varonis" AND (like(Path,"%Hosting%")
then Status=Action Required
else if(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus=null )
then Status=Action Required
else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required
else if(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus=null )
then Status=Action Required
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having a similar issue,
| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403"),(like('thrown.extendedStackTrace',"%404%"),"404"),"###ERROR####")
But getting error as -->
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brackets in the wrong place and it looks like the else part of the first if should start with another if
| eval Test= if( (like('thrown.extendedStackTrace',"%403%"),"403", if(like('thrown.extendedStackTrace',"%404%"),"404","###ERROR####"))- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it resolved.. corrected one bracket
Thank You so much for the pointer on 'if' required everytime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope!
Getting error as
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use case statement like below;
| eval Test=case(like('thrown.extendedStackTrace',"%403%"),"403", like('thrown.extendedStackTrace',"%404%"),"404",1=1,"###ERROR####")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try below:
...| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null" OR DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required",1=1,"Action NOT Required")
I have combined two conditions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey try this
<your_base_query>
| eval Status=if((Location="Varonis" AND like(Path,"%Hosting%")),"Action Required",(Location="Varonis" AND (MonitoringStatus!="Monitored" OR MonitoringStatus="null")),"Action Required",(Location="Varonis" AND (DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null")),"Action Required","Action NOT Required")
I hope this helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @davidcraven02
you need to put null in "null" in order to make it work.
try my search!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The last two statements look identical, so assuming there are 3 statements:
Maybe case would be more useful:
...|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required",(Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you , this mostly works, the only issue is that for NULL values in DayBackUpStatus that exist within Varonis are not getting picked up as action required.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry sloppy copy and paste on my part.
null should be double quoted - or you could use isnull()
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This didnt work, the query below his doesnt pick up null values and when I use isnull() it makes all the status column equal 'Action Required' for all
|eval Status=case((Location="Varonis" AND (like(Path,"%Hosting%"))),"Action Required",
(Location="Varonis" AND ( MonitoringStatus!="Monitored" OR MonitoringStatus="null" )),"Action required", (Location="Varonis" AND ( DayBackUpStatus!="Backed Up" OR DayBackUpStatus="null" )),"Action Required",1<2,"No Action required")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do the fields contain the word null, or are they empty?
if empty, could you try MonitoringStatus!=*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider the case function.
Example from the doc:
eval description=case(error ==404, "Not found", error == 500,
"Internal Server Error", error == 200, "OK")
Though your example looks like it could be done in a single if, using OR to join the clauses since they all have the same return value of Action Required.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
