https://community.splunk.com/t5/Splunk-Dev/Multiple-case-statement-is-not-working/m-p/682256#M11416 <P>There doesn't appear to be anything wrong with case statement on its own. However, there are other statements which might affect your result, e.g. dedup. Please can you share some events demonstrating your issue?</P> Thu, 28 Mar 2024 10:26:07 GMT ITWhisperer 2024-03-28T10:26:07Z https://community.splunk.com/t5/Splunk-Dev/Multiple-case-statement-is-not-working/m-p/682253#M11415 <P>Hi Guys,</P><P>I am using multiple keywords to get count of errors from different message.So i am trying case statement to acheive it.</P><LI-CODE lang="markup">index="mulesoft" applicationName="api" environment="*" (message="Concur Ondemand Started") OR (message="API: START: /v1/fin_Concur") OR (message="*(ERROR): concur import failed for file*") OR (tracePoint="EXCEPTION") | dedup correlationId | eval JobName=case(like('message',"Concur Ondemand Started") OR like('message',"API: START: /v1/fin_Concur%") AND like('tracePoint',"EXCEPTION"),"EXPENSE JOB",like('message',"%(ERROR): concur import failed for file%"),"ACCURAL JOB") | stats count by JobName</LI-CODE><P>But i am getting only EXPENSE JOB JobName.But when i split into two query both JobName having result .</P> Thu, 28 Mar 2024 09:56:10 GMT https://community.splunk.com/t5/Splunk-Dev/Multiple-case-statement-is-not-working/m-p/682253#M11415 karthi2809 2024-03-28T09:56:10Z https://community.splunk.com/t5/Splunk-Dev/Multiple-case-statement-is-not-working/m-p/682256#M11416 <P>There doesn't appear to be anything wrong with case statement on its own. However, there are other statements which might affect your result, e.g. dedup. Please can you share some events demonstrating your issue?</P> Thu, 28 Mar 2024 10:26:07 GMT https://community.splunk.com/t5/Splunk-Dev/Multiple-case-statement-is-not-working/m-p/682256#M11416 ITWhisperer 2024-03-28T10:26:07Z