Knowledge Management

Can you help me with a problem using conditionals in eval macros?

d389133
Explorer

Hi All,

I'm struggling to get an eval macro working using conditionals (either case or if statement).

No matter what I try, I seem to get either Null result, or an error about expecting a string.

My use case is that I'm trying to compare a time period with the same time period on the same day of the week over several previous weeks.

For example, if i'm looking at response times between 14:00 and 14:30 on a Monday afternoon, I want to look back over the previous several weeks and determine the average for that time period.

This is easy enough when using normal eval statements, but with millions of events to run the evals on, it takes forever, so I'd like to use macros in my initial search to speed things up.

So, ideally, I want to have a macro that takes _time as a param, and then returns a string so I can include FilterTime(_time)="True" or something similar in my initial search.

Now, onto my actual problem — conditionals never work. Even when I do a super basic macro that doesn't take params, I don't get the expected results.

For example this eval macro:

case(4 > 5, "No", 5 > 4, "Yes", 1=1, "Shrug")

Returns Null (Instead of "Yes", or even "Shrug") when I call it like this:

|makeresults|eval keep=tostring(`FilterDates(weeks)`)

My actual macro will be far more complex, and I can build the individual statements, but conditionals just aren't returning. Does anyone have any suggestions?

0 Karma
1 Solution

whrg
Motivator

Hi!
When creating the macro, did you enable Use eval-based definition (iseval = 1)?
If so, the macro will return a string. In your example that would be Yes, without quotes. Now tostring(Yes) in your search will return Null.

I tried it differently:

Name:                            FilterDates(1)
Definition:                      case(4>5,"No",5>4,"Yes",1=1,"Shrug")
Use eval-based definition:       No
Arguments:                       arg1

Now when I search for

| makeresults count=1 | eval keep=`FilterDates(weeks)`

then I get:

keep
Yes

View solution in original post

0 Karma

whrg
Motivator

Hi!
When creating the macro, did you enable Use eval-based definition (iseval = 1)?
If so, the macro will return a string. In your example that would be Yes, without quotes. Now tostring(Yes) in your search will return Null.

I tried it differently:

Name:                            FilterDates(1)
Definition:                      case(4>5,"No",5>4,"Yes",1=1,"Shrug")
Use eval-based definition:       No
Arguments:                       arg1

Now when I search for

| makeresults count=1 | eval keep=`FilterDates(weeks)`

then I get:

keep
Yes
0 Karma

d389133
Explorer

Thankyou! This was the important part:

In your example that would be Yes, without quotes

You are entirely correct, its returning an unquoted string which was causing my issues.
If I include escaped double quotes in the string it works (ie: "\"Yes\"")

This seems counter intuitive to me, but I think I can work with it now.
Thanks again!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...