We have 4 fields in the | inputlookup list.csv as follows:

ip                 bigfix       norton      mcafee 
198.168.1.25       1          0                 0

1. | inputlookup list.csv 
2. | eval newbigfix=if(bigfix = 1,1,0)
3. | eval newnorton=if(norton = 1,3,0)
4. | eval newmcafee=if(mcafee = 1,6,0)
5. | eval search_score = newbigfix + newnorton + newmcafee

The if then eval statements looks at the fields to see if there is a 0 or 1 in each of the agent fields and then creates a new column called “search_score” by adding all of the numbers agent field numbers together and assigns a score:

ip                bigfix        norton      mcafee     search_score
198.168.1.25       1           0                      0     1

For example, in the case of 198.168.1.25, the if than statement sees that there is a 1 for bigfix and a 0 for norton and mcafee. The final eval statement will add all of the scores together and assign a score. In this case, because 198.168.1.25 only has a 1 for bigfix and 0 for norton and mcafee, it will be assigned a 1 for the newly created "search_score" field.

1. | eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

In regards to your question, “search1" looks to see which ips have a search score equal to 1, because we know that having a search_score equal to 1 can only mean the ip has a 1 for big fix. search1 will return the following fields from bigfix- IPAddress, CompName, MAC , OS, Manufacturer, Model. If the ip has a search_score of 4, we know the ip has bigfix and norton, search1 will return fields from bigfix and norton. I chose just to use bigfix in search1 as an example to make it less complicated to explain for help.

Does that help in better understanding of what search 1 is suppose to do?

I know that you are trying but it still makes absolutely no sense to me at all. Let's go back around again. Show me 5 lines of what the output is after the | eval search_score = newbigfix + newnortn + newmcafee line executes. Then DO NOT SHOW ANY MORE SPL. Just show me how you would like those 5 lines transformed for your final result.

Error in 'makeresults' command: This
command must be the first command of a
search. The search job has failed due
to an error. You may be able view the
job in the Job Inspector.

Hello!

For this search we are using a lookuptable (CSV), so | inputlookup list.csv needs to be there.

For further clarification the eval statement below:

| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
adds

| eval newbigfix=if(bigfix = 1,1,0)

What this statement is saying is that if the ip has a 1 in the bigfix field we assign it a 1, if it doesn't -it assigns it a 0 (because it doesn't have big fix). The number it gets assigned goes into the "newbigfix" field.

The above is that same for all 3 eval statements. Once the "New" score is assigned for a given IP, I do an eval to add up all of the numbers and place the number in a new field called "search score":

| eval search_score = newbigfix + newnorton + newmcafee

In order to return the correct fields, I use another eval statement "search1" to return fields based on the "search_score"

| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")