| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
The above search works and returns all of the columns needed and adds the correct numbers to the columns.
However, I am trying run an eval and if then statement after the above search as follows:
| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")
The above search fails with the following error:
Error in 'eval' command: Fields cannot
be assigned a boolean result. Instead,
try if([bool expr], [expr], [expr]).
The search job has failed due to an
error. You may be able view the job in
the Job Inspector.
If I run just the search:
|search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model
It runs just fine.
Any ideas why the | eval search1 = if is not working?
Maybe this?
index="bigfix"
[|inputlookup list.csv
| eval search_score = if(bigfix = 1,1,0) + if(norton = 1,3,0) + if(mcafee = 1,6,0)
| where search_score==1
| rename ip AS IPAddress
| table IPAddress]
| table IPAddress, CompName, MAC , OS, Manufacturer, Model
Give me a mockup of what you expect search1
to contain at the end.
We have 4 fields in the | inputlookup list.csv as follows:
ip bigfix norton mcafee
198.168.1.25 1 0 0
1. | inputlookup list.csv
2. | eval newbigfix=if(bigfix = 1,1,0)
3. | eval newnorton=if(norton = 1,3,0)
4. | eval newmcafee=if(mcafee = 1,6,0)
5. | eval search_score = newbigfix + newnorton + newmcafee
The if then eval statements looks at the fields to see if there is a 0 or 1 in each of the agent fields and then creates a new column called “search_score” by adding all of the numbers agent field numbers together and assigns a score:
ip bigfix norton mcafee search_score
198.168.1.25 1 0 0 1
For example, in the case of 198.168.1.25, the if than statement sees that there is a 1 for bigfix and a 0 for norton and mcafee. The final eval statement will add all of the scores together and assign a score. In this case, because 198.168.1.25 only has a 1 for bigfix and 0 for norton and mcafee, it will be assigned a 1 for the newly created "search_score" field.
In regards to your question, “search1" looks to see which ips have a search score equal to 1, because we know that having a search_score equal to 1 can only mean the ip has a 1 for big fix. search1 will return the following fields from bigfix- IPAddress, CompName, MAC , OS, Manufacturer, Model. If the ip has a search_score of 4, we know the ip has bigfix and norton, search1 will return fields from bigfix and norton. I chose just to use bigfix in search1 as an example to make it less complicated to explain for help.
Does that help in better understanding of what search 1 is suppose to do?
I know that you are trying but it still makes absolutely no sense to me at all. Let's go back around again. Show me 5 lines of what the output is after the | eval search_score = newbigfix + newnortn + newmcafee
line executes. Then DO NOT SHOW ANY MORE SPL. Just show me how you would like those 5 lines transformed for your final result.
Try this:
| makeresults | eval bigfix=1 | eval norton=1 | eval mcafee=0
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
| eval search1 = if (search_score == 4, "index=bigfix IPAddress =198.168.1.25 | table IPAddress CompName MAC OS Manufacturer Model","")
Error in 'makeresults' command: This
command must be the first command of a
search. The search job has failed due
to an error. You may be able view the
job in the Job Inspector.
Hello!
For this search we are using a lookuptable (CSV), so | inputlookup list.csv needs to be there.
For further clarification the eval statement below:
| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
adds
| eval newbigfix=if(bigfix = 1,1,0)
What this statement is saying is that if the ip has a 1 in the bigfix field we assign it a 1, if it doesn't -it assigns it a 0 (because it doesn't have big fix). The number it gets assigned goes into the "newbigfix" field.
The above is that same for all 3 eval statements. Once the "New" score is assigned for a given IP, I do an eval to add up all of the numbers and place the number in a new field called "search score":
| eval search_score = newbigfix + newnorton + newmcafee
In order to return the correct fields, I use another eval statement "search1" to return fields based on the "search_score"
| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")
try this:
| where index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model