- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I use an eval statement inside an if statement...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Can I use an eval statement inside an if?
I have to implement something like this :
I have two fields : one country code and another area code .
I have to give list of employee ids who have country code as NZ , country code not like AU and area code like 2345
Can anyone help me with this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| eval employee_satisfied = case(
countrycode=NZ AND countrycode!=AU, a,
areacode=2345, b,
true(), "Not satisfied")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| eval employee_satisfied = case(
countrycode=NZ AND countrycode!=AU, a,
areacode=2345, b,
true(), "Not satisfied")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shraddhamuduli, Sorry without data and proper explanation, it is not clear what you want to do. Please provide more details on what you currently have and what you expect. Also provide the current query that you have tried.
Do you need something like following where country code and area code fields are country_code and area_code respectively?
<yourSearch>
| eval employee_type=case(country_code="NZ","TypeA",country_code="AU" AND area_code=2345,"TypeB",true(),"TypeOthers")
| stats count by employee_type
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi ,
i'm computing this :
failure=Uniq(# transaction_id having Req-in, NO Req-out and Response out with status-code=500)/ Uniq(# transaction_id of Req-in)
fields : logpoint, transaction-id,status-code
logpoint values: request-in,request-out,response-in,response-out
to translate this :
failure is the computation result
Numerator : unique transaction ids for those logpoints which have request in and no request out AND response out with status code as 500)
NOTE : every logpoint has a status code
so by response code with status cod=500 means only for response-out
Denominator: unique transaction ids with logpoint as request-in
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also Niket,
Can i use 2 where condition in a single search , each where should be made on the base search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval a = if( countrycode=NZ and countrycode!=AU , then a= employee ids of both the satisfying condition
eval b=if(areacode=2345, then b=employee ids of the satisfying condition
combine a and b into c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk eval syntax will look like this
| eval <NEW FIELD NAME> = if(<CONDITION>, <TRUE>, <FALSE>)
There's no than inside it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still not very clear what your end goal is here.
countrycode=NZ and countrycode!=AU is a bit of a pointless condition. If countrycode=NZ, it cannot at the same time be AU. So that and countrycode!=AU is redundant here.
You want one set of employee IDs based on countrycode filter in field a and one set of employee IDs based on areacode filter in field b?
Rather than trying to write a solution, can you just functionally/conceptually explain what you want to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you clarify the data you have (screenshots are most helpful usually) and what exactly you want to achieve?
You're asking for an eval inside an if, but then you say you just need to filter a list of employees based on country code and area code. That sounds like something you can do with a simple search query. What do you think you need the eval for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval a = if( countrycode=NZ and countrycode!=AU , then a= employee ids of both the satisfying condition
eval b=if(areacode=2345, then b=employee ids of the satisfying condition
combine a and b into c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @shraddhamuduli,
In what kind of index/table are the information stored?
Are the 2 fields configured as inut in a dashboard or the result of a query?
It would be interesting to know in order to be more to the point where providing the answer to your question.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
