Learn how to Usage of Splunk EVAL Function: IF
This EVAL Function IF takes 3 arguments that include X, Y & Z.
The 1st argument X needs to be a Boolean expression. When the 1st X-expression is met it evaluates to TRUE. Moreover, its corresponding Y-argument will be reverted.
If the 1st X expression is met this evaluates to FALSE. The outcomes evaluate to 3rd argument Z. The Z is else part-of “if” function and it cannot be left blank.
Skeleton of usage of the “if” function with EVAL
….| eval New_Field=if(X,”Y”,”Z”)
Example one
index=“_internal”
| eval NEW_FIELD=if(method==“Delete”,”PASS”,”FAIL”)
| table method, NEW_FIELD
| deduce method, NEW_FIELD
Results
Explanations
With the Query above, “method” is an existing field-name in an “_internal” index. Then we’ve used the Splunk-eval function to implement this.
There are 2 conditions that are based on the query which is executed:
- When the “method” field is the same to “DELETE”, at that point ‘PASS’ needs to be assigned to NEW_FIELD
- When the “method” field isn’t the same as “DELETE”, at this point ‘FAIL’ needs to be assigned to NEW_FIELD.
Example two
index=“_internal”
| eval NEW_FIELD=if(method==“Delete”,”RIGHT”,if(method==“POST”,”WRONG”,”FIELD”))
| table method, NEW_FIELD
| deduce method, NEW_FIELD
Outcomes
Explanations
With the Query above, “method” is an existing field-name in the “_internal” index.
It has 3 conditions depending on the query which is executed:
When the “method” field is the same to “DELETE”, at this point ‘RIGHT‘ needs to be assigned to NEW_FIELD
When the “method” field is the same as “POST“, at this point ‘WRONG‘ needs to be assigned to NEW_FIELD.
When the “method” field isn’t “DELETE” or “POST”, “FAILED” needs to be assigned to NEW_FIELD.
With this, you can perfectly utilize the “if” feature with the Splunk-eval command to suit your requirement
