I'm having a difficult time getting what I believe is a simple eval command to work as I would expect. What I'm trying to accomplish is to convert a 1 or 0 into Yes or No respectively. I'm able to do so just fine on one field, but 2 others are giving me a problem. Here's the search I'm running:
| rest /servicesNS/-/-/saved/searches
| search action.myAction=1
| foreach action.myAction.param.myParam1 action.myAction.param.myParam2 is_scheduled [eval <>=if(isnull(<>),<>,if(<>=1,"Yes","No"))]
| rename action.myAction.param.myParam1 as param1, action.myAction.param.myParam2 as param2
I had to add the isnull check as the 2 param fields do not always have data in them and the search would not run without the isnull. This search does result in Yes/No values in the is_scheduled field, but the param fields remain unchanged. To my knowledge, Splunk is treating them as numbers as they are right-justified in the results table.
Here is some sample output from the above search:
title, param1, param2, is_scheduled
alert1, , yes
alert2, 1, 1, Yes
alert3, 1, 0, Yes
alert4, 0, 0, Yes
I have also tried adding another field to test whether the data is a string, number or null, but end up with very strange results from that. I added the following lines between the search and foreach lines to get the results below:
| eval isNumber=if(isNum(action.myAction.param.myParam1),"yes","no")
| eval isString=if(isStr(action.myAction.param.myParam1),"yes","no")
| eval isNull=if(isNull(action.myAction.param.myParam1),"yes","no")
Results:
title, param1, param2, is_scheduled, isNumber, isString, isNull
alert1, , yes, no, no, yes
alert2, 1, 1, Yes, no, no, yes
alert3, 1, 0, Yes, no, no, yes
alert4, 0, 0, Yes, no, no, yes
I have copied and pasted the field name everywhere within the command to make sure I haven't typo'd anything and I have tried renaming the fields prior to the eval command and using the renamed field instead of the original, but that changes nothing. I have also tried doing it outside a foreach loop, but still get the same results.
What am I missing? Is there a better way to accomplish what I'm trying to do?
↧