Hi all, I am trying to run this simple search:
SourceType=FooMonitoring |eval isSuccess=if(Test.TestIsSuccessful=="true","Yes","No") | table isSuccess Test.TestIsSuccessful
I am getting the following results: (can't post an image...)
isSuccess Test.TestIsSuccessful
--------------------------------------
No true
No true
No true
No true
No true
No true
No true
I am expecting all the isSuccess values to be "Yes" but no matter what I do the if expression does not evaluate to true. Tried different ways, tried removing the double quotes around the "true" part with no luck.
Note that the raw data is json, but I didn't encounter any problems with it so far and I don't know if it is related or not...
I am using splunk 6
Please help me figure out what am I doing wrong.
Thanks!
... View more