Usage of Splunk EVAL Function : IF

Usage of Splunk EVAL Function : IF

  • This function takes three arguments X,Y and Z.
  • The first argument X must be a Boolean expression.
  • When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned.
  • When the first X expression is encountered that evaluates to FALSE, the result evaluates to the third argument Z.
  • Z is the else part of the “if” function, it can’t be left blank.

Find below the skeleton of the usage of the function if with EVAL :

                                       ….. |  eval New_Field=if(X,”Y”,”Z”)

Example 1:

index=”_internal”
| eval NEW_FIELD=if(method==”DELETE”,”PASS”,“FAIL”)
| table method,NEW_FIELD
| dedup method,NEW_FIELD

 

Result :

   method                                                                      NEW_FIELD

       GET      FAIL
       POST      FAIL
       DELETE      PASS
       HEAD      FAIL

Explanation : 

 In the above Query, “method” is the existing field name in the “_internal” index.

There are two conditions based on which the query is executed :

  1. If “method” field is equal to “DELETE” , then ‘PASS’ should be assigned to the NEW_FIELD
  2.  If “method” field is not equal to “DELETE”,then ‘FAIL’ should be assigned to the NEW_FIELD.

*****************************************************************************

Example 2:

 index=”_internal”
| eval NEW_FIELD=if(method==”DELETE”,”RIGHT”,if(method==”POST”,
“WRONG” ,”FAILED”))
| table method,NEW_FIELD
| dedup method,NEW_FIELD

Result :

  method                                                                  NEW_FIELD

       GET      FAILED
       POST      WRONG
       DELETE      RIGHT
       HEAD      FAILED

 Explanation : 
 In the above Query, “method” is the existing field name in the “_internal” index.
There are three conditions based on which the query is executed :

  1. If “method” field is equal to “DELETE” , then ‘RIGHT‘ should be assigned to the NEW_FIELD
  1. If“method” field is equal to “POST“,then ‘WRONG‘ should be assigned to the NEW_FIELD.
  1. If “method” field is neither “DELETE” nor “POST” then “FAILED” should be assigned to the NEW_FIELD.

 

Now you can effectively utilize “if” function with “eval” command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function : IF

 

HAPPY SPLUNKING !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.