Spread our blog

Usage of Splunk EVAL Function : IF

  • This function takes three arguments X,Y and Z.
  • The first argument X must be a Boolean expression.
  • When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned.
  • When the first X expression is encountered that evaluates to FALSE, the result evaluates to the third argument Z.
  • Z is the else part of the “if” function, it can’t be left blank.

Find below the skeleton of the usage of the function if with EVAL :

                                       ….. |  eval New_Field=if(X,”Y”,”Z”)

Example 1:

index=”_internal”
| eval NEW_FIELD=if(method==”DELETE”,”PASS”,“FAIL”)
| table method,NEW_FIELD
| dedup method,NEW_FIELD

 

Result :

   method                                                                      NEW_FIELD

       GET      FAIL
       POST      FAIL
       DELETE      PASS
       HEAD      FAIL

Explanation : 

 In the above Query, “method” is the existing field name in the “_internal” index. Then we have used the splunk eval command to implement this.

There are two conditions based on which the query is executed :

  1. If “method” field is equal to “DELETE” , then ‘PASS’ should be assigned to the NEW_FIELD
  2.  If “method” field is not equal to “DELETE”,then ‘FAIL’ should be assigned to the NEW_FIELD.

*****************************************************************************

Example 2:

 index=”_internal”
| eval NEW_FIELD=if(method==”DELETE”,”RIGHT”,if(method==”POST”,
“WRONG” ,”FAILED”))
| table method,NEW_FIELD
| dedup method,NEW_FIELD

Result :

  method                                                                  NEW_FIELD

       GET      FAILED
       POST      WRONG
       DELETE      RIGHT
       HEAD      FAILED

 Explanation : 
 In the above Query, “method” is the existing field name in the “_internal” index.
There are three conditions based on which the query is executed :

  1. If the “method” field is equal to “DELETE”, then ‘RIGHT‘ should be assigned to the NEW_FIELD
  1. If the “method” field is equal to “POST“, then ‘WRONG‘ should be assigned to the NEW_FIELD.
  1. If the “method” field is neither “DELETE” nor “POST” then “FAILED” should be assigned to the NEW_FIELD.
You can also know about :  Usage Of Splunk EVAL Function : MVMAP

 

Now you can effectively utilize “if” function with the Splunk eval command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function : IF

 

HAPPY SPLUNKING !!

What’s your Reaction?
+1
+1
+1
4
+1
+1
1
+1
+1

Spread our blog
Previous articleDB Connect Application V2
Next articleHow to Configure Email Alerting using Gmail SMTP in SPLUNK
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here