How to Usage of Splunk EVAL Function?

Learn how to Usage of Splunk EVAL Function: IF

This EVAL Function IF takes 3 arguments that include X, Y & Z.

The 1st argument X needs to be a Boolean expression. When the 1st X-expression is met it evaluates to TRUE. Moreover, its corresponding Y-argument will be reverted.

If the 1st X expression is met this evaluates to FALSE. The outcomes evaluate to 3rd argument Z. The Z is else part-of “if” function and it cannot be left blank.

Skeleton of usage of the “if” function with EVAL 

….| eval New_Field=if(X,”Y”,”Z”)

Example one 

index=“_internal”

| eval NEW_FIELD=if(method==“Delete”,”PASS”,”FAIL”)

| table method, NEW_FIELD

| deduce method, NEW_FIELD

Results 

Explanations

With the Query above, “method” is an existing field-name in an “_internal” index. Then we’ve used the Splunk-eval function to implement this.

There are 2 conditions that are based on the query which is executed:

  1. When the “method” field is the same to “DELETE”, at that point ‘PASS’ needs to be assigned to NEW_FIELD
  2. When the “method” field isn’t the same as “DELETE”, at this point ‘FAIL’ needs to be assigned to NEW_FIELD.

Example two

index=“_internal”

| eval NEW_FIELD=if(method==“Delete”,”RIGHT”,if(method==“POST”,”WRONG”,”FIELD”))

| table method, NEW_FIELD

| deduce method, NEW_FIELD

Outcomes

 

Explanations

With the Query above, “method” is an existing field-name in the “_internal” index.

It has 3 conditions depending on the query which is executed:

When the “method” field is the same to “DELETE”, at this point ‘RIGHT‘ needs to be assigned to NEW_FIELD

When the “method” field is the same as “POST“, at this point ‘WRONG‘ needs to be assigned to NEW_FIELD.

When the “method” field isn’t “DELETE” or “POST”, “FAILED” needs to be assigned to NEW_FIELD.

With this, you can perfectly utilize the “if” feature with the Splunk-eval command to suit your requirement

Join Telegram Join Whatsapp

Leave a Comment