https://community.splunk.com/t5/Monitoring-Splunk/How-to-compare-two-conditions-in-splunk-query/m-p/605246#M9041 <P>This is a bit confusing - are you trying to set severityType to FATAL if response code is one of the 400 codes or 500 and return code is a particular value?</P><LI-CODE lang="markup">| eval severityType=if(httpResponseCode=400 OR httpResponseCode=401 OR httpResponseCode=403 OR httpResponseCode=404 OR (httpResponseCode=500 AND returnCode="APS.API.6544"), "FATAL", "NOT FATAL")</LI-CODE> Tue, 12 Jul 2022 07:54:34 GMT ITWhisperer 2022-07-12T07:54:34Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-compare-two-conditions-in-splunk-query/m-p/605242#M9040 <P>Hi All,</P> <P>&nbsp; &nbsp; &nbsp;I am trying to fetch events by comparing two conditions where i am&nbsp; unable to do that.<BR />I have sample log like this:<BR /><SPAN>[15:53:12.172] [WARN ] [] [c.c.n.t.e.i.T.ServiceCalloutEventData] [] - channel="null", productVersion="2FE1-5634ab725", apiVersion="V1", uuid="2Fedec2-16f0-4988-b1fa-68db0c565a9f", eventDateTime="2022-07-11T05:53:12.172Z", severity="WARN", code="ServfefrventData", component="wDEGG", category="integrational-eFsdal", serviceName="Details", eventName="_RESPONSE", message="CadfSFDresponse",&nbsp; start="1657518790580", stop="1657518792172", elapsed="1592", exceptionInfo="null", url="<A href="https://scdssfg.com/npp-mms/v1/mandates/actions/DVd" target="_blank" rel="noopener">https://scdssfg.com/npp-mms/v1/mandates/actions/DVd</A>", <STRONG>httpResponseCode="500"</STRONG>, priority="NORM", servicingAgentBIC="CTBAAUSNXXX", swiftMessagePartnerBIC="RESTMP1", messageIdentification="beb727a900dd11edaf1a69ae7e224ce5", mandateIdentification="111536a1519111ec9bb20e6904f27a9e", <STRONG>returnCode="APS.API.6544</STRONG>"&nbsp;</SPAN></P> <P>I need to fetch all the events with all httpstatuscode and compare with returncode and then decide the severity type.<BR />For all statuscode type cannot differ but for only 500(httpstatus code)based on returncode the severitytype would differ.<BR />So i need to write query for httpstatus code when it hits 500 it has to check return code and for remaining no need to check any returncode.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=a_audit |rex field=log "eventName=\"*(?&lt;eventName&gt;[^,\"\s]+)"|rex field=log "serviceName=\"*(?&lt;serviceName&gt;[^\"]+)"|rex field=log "severity=\"*(?&lt;severity&gt;[^\"]+)"|rex field=log "exceptionInfo=\"*(?&lt;exceptionInfo&gt;[^\"]+)"|rex field=log "httpResponseCode=\"*(?&lt;httpResponseCode&gt;[^\"]+)"|rex field=log "returnCode=\"*(?&lt;returnCode&gt;[^\"]+)"|stats count by eventName serviceName severity exceptionInfo httpResponseCode returnCode|search serviceName="Details" AND eventName="RESPONSE" AND (severity=ERROR OR severity=WARN) |eval severityType=(httpResponseCode=400 OR httpResponseCode=401 OR httpResponseCode=403 OR httpResponseCode=404 "FATAL") AND (httpResponseCode=500 IN (returnCode=APS.API.6544) |where count&gt;1</LI-CODE> <P>&nbsp;</P> <P>i cant able to compare 2 conditions for same field.Can you help me on the same.</P> Tue, 12 Jul 2022 13:55:19 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-compare-two-conditions-in-splunk-query/m-p/605242#M9040 vineela 2022-07-12T13:55:19Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-compare-two-conditions-in-splunk-query/m-p/605246#M9041 <P>This is a bit confusing - are you trying to set severityType to FATAL if response code is one of the 400 codes or 500 and return code is a particular value?</P><LI-CODE lang="markup">| eval severityType=if(httpResponseCode=400 OR httpResponseCode=401 OR httpResponseCode=403 OR httpResponseCode=404 OR (httpResponseCode=500 AND returnCode="APS.API.6544"), "FATAL", "NOT FATAL")</LI-CODE> Tue, 12 Jul 2022 07:54:34 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-compare-two-conditions-in-splunk-query/m-p/605246#M9041 ITWhisperer 2022-07-12T07:54:34Z