- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is my eval if() not working consistantly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having a difficult time getting what I believe is a simple eval command to work as I would expect. What I'm trying to accomplish is to convert a 1 or 0 into Yes or No respectively. I'm able to do so just fine on one field, but 2 others are giving me a problem. Here's the search I'm running:
| rest /servicesNS/-/-/saved/searches
| search action.myAction=1
| foreach action.myAction.param.myParam1 action.myAction.param.myParam2 is_scheduled [eval <<FIELD>>=if(isnull(<<FIELD>>),<<FIELD>>,if(<<FIELD>>=1,"Yes","No"))]
| rename action.myAction.param.myParam1 as param1, action.myAction.param.myParam2 as param2</pre>
I had to add the isnull check as the 2 param fields do not always have data in them and the search would not run without the isnull. This search does result in Yes/No values in the is_scheduled field, but the param fields remain unchanged. To my knowledge, Splunk is treating them as numbers as they are right-justified in the results table.
Here is some sample output from the above search:
title, param1, param2, is_scheduled
alert1, , yes
alert2, 1, 1, Yes
alert3, 1, 0, Yes
alert4, 0, 0, Yes
I have also tried adding another field to test whether the data is a string, number or null, but end up with very strange results from that. I added the following lines between the search and foreach lines to get the results below:
| eval isNumber=if(isNum(action.myAction.param.myParam1),"yes","no")
| eval isString=if(isStr(action.myAction.param.myParam1),"yes","no")
| eval isNull=if(isNull(action.myAction.param.myParam1),"yes","no")
Results:
title, param1, param2, is_scheduled, isNumber, isString, isNull
alert1, , yes, no, no, yes
alert2, 1, 1, Yes, no, no, yes
alert3, 1, 0, Yes, no, no, yes
alert4, 0, 0, Yes, no, no, yes
I have copied and pasted the field name everywhere within the command to make sure I haven't typo'd anything and I have tried renaming the fields prior to the eval command and using the renamed field instead of the original, but that changes nothing. I have also tried doing it outside a foreach loop, but still get the same results.
What am I missing? Is there a better way to accomplish what I'm trying to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know you say you tried renaming the field before the eval, but I suspect that there might have been an error when you were testing that. Compare the following two:
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | foreach test.testing1.testing test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
and
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | rename test.test1.testing AS test1 | foreach test1 test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
When I run these, the first shows this - which matches your test results (note that the value of the first variable remains unchanged):
count test.test1.testing test2 test3
0 thing other renamed
and the second (which renames the field name test.test1.testing to test1 before the foreach and eval loop) gives me the desired result:
count test1 test2 test3
0 renamed other renamed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know you say you tried renaming the field before the eval, but I suspect that there might have been an error when you were testing that. Compare the following two:
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | foreach test.testing1.testing test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
and
| stats count | eval test.test1.testing="thing", test2="other", test3="thing" | rename test.test1.testing AS test1 | foreach test1 test2 test3 [ eval <>=if(<>="thing","renamed",<>) ]
When I run these, the first shows this - which matches your test results (note that the value of the first variable remains unchanged):
count test.test1.testing test2 test3
0 thing other renamed
and the second (which renames the field name test.test1.testing to test1 before the foreach and eval loop) gives me the desired result:
count test1 test2 test3
0 renamed other renamed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. I know I did test with renaming before the eval, but must have done something wrong as it's working now.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad I could help! I know how frustrating it is to test all possible error conditions for complex searches. 🙂
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
