https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361320#M106720 <P>Yes, you can use fields in case statements. Here is a simple example that proves it.</P> <PRE><CODE>| makeresults | fields - _time | eval thresh = 3, value = 3 | eval result = case(thresh &gt; value, "lower", thresh &lt; value, "higher", thresh == value, "equal", 1==1, "0") </CODE></PRE> <P>Without having your actual data, one suggestion I would make is replace <CODE>NULL</CODE> with <CODE>NULL()</CODE> in the case statement. Then change the following search to <CODE>| WHERE isnotnull(ty)</CODE>. Maybe the fact that you are using <CODE>search</CODE> against a table of field values and not <CODE>_raw</CODE> is the issue.</P> <P>So the modified search would be</P> <PRE><CODE>index= sourcetype= | stats values(OPEN_INT) as int by OPTION_TYP STRIKE_PR | appendcols [|search index= sourcetype= OPTION_TYP=XX | eval a1=CLOSE-(CLOSE*75)/10000|eval a2=CLOSE+(CLOSE*75)/10000| eval i2=CLOSE-(CLOSE*25)/1000 | eval o2=CLOSE+(CLOSE*25)/1000 |table a1 a2 i2 o2 CLOSE] | eval ty=case(STRIKE_PR&gt;=9839.46 AND STRIKE_PR&lt;10016,"IN",STRIKE_PR&gt;=10016 AND STRIKE_PR&lt;10167,"AT" ,STRIKE_PR&gt;=10167 AND STRIKE_PR&lt;=10344,"OUT",1==1, NULL()) | where isnotnull(ty) </CODE></PRE> Thu, 10 Aug 2017 08:40:47 GMT rjthibod 2017-08-10T08:40:47Z https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361319#M106719 <P>Hi Splunkers!</P> <P>I am try to evaluate few things by using query below-</P> <P>index=* sourcetype=* | stats values(OPEN_INT) as int by <BR /> OPTION_TYP STRIKE_PR | appendcols [|search index=* sourcetype=* <BR /> OPTION_TYP=XX | eval a1=CLOSE-(CLOSE*75)/10000|eval a2=CLOSE+(CLOSE*75)/10000| <BR /> eval i2=CLOSE-(CLOSE*25)/1000 | eval o2=CLOSE+(CLOSE*25)/1000 |table a1 a2 i2 o2 CLOSE]|<BR /> eval ty=case(STRIKE_PR&gt;=9839.46 AND STRIKE_PR&lt;10016,"IN",STRIKE_PR&gt;=10016 AND STRIKE_PR&lt;10167,"AT"<BR /> ,STRIKE_PR&gt;=10167 AND STRIKE_PR&lt;=10344,"OUT",1==1, NULL) | search ty!=NULL |</P> <P>I need to use the values of fields a1 a2 i2 o2 in the case statement written above, such that my statement appears like-<BR /> eval ty=case(STRIKE_PR&gt;=i2 AND STRIKE_PR=a1 AND STRIKE_PR=a2AND STRIKE_PR&lt;=o2,"OUT",1==1, NULL) | search ty!=NULL |</P> <P>But splunk doesn't give me any results when i use fields name instead of the numeric value.</P> <P>Can someone figure out what the problem is?</P> Tue, 29 Sep 2020 15:18:10 GMT https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361319#M106719 shivi_tcs 2020-09-29T15:18:10Z https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361320#M106720 <P>Yes, you can use fields in case statements. Here is a simple example that proves it.</P> <PRE><CODE>| makeresults | fields - _time | eval thresh = 3, value = 3 | eval result = case(thresh &gt; value, "lower", thresh &lt; value, "higher", thresh == value, "equal", 1==1, "0") </CODE></PRE> <P>Without having your actual data, one suggestion I would make is replace <CODE>NULL</CODE> with <CODE>NULL()</CODE> in the case statement. Then change the following search to <CODE>| WHERE isnotnull(ty)</CODE>. Maybe the fact that you are using <CODE>search</CODE> against a table of field values and not <CODE>_raw</CODE> is the issue.</P> <P>So the modified search would be</P> <PRE><CODE>index= sourcetype= | stats values(OPEN_INT) as int by OPTION_TYP STRIKE_PR | appendcols [|search index= sourcetype= OPTION_TYP=XX | eval a1=CLOSE-(CLOSE*75)/10000|eval a2=CLOSE+(CLOSE*75)/10000| eval i2=CLOSE-(CLOSE*25)/1000 | eval o2=CLOSE+(CLOSE*25)/1000 |table a1 a2 i2 o2 CLOSE] | eval ty=case(STRIKE_PR&gt;=9839.46 AND STRIKE_PR&lt;10016,"IN",STRIKE_PR&gt;=10016 AND STRIKE_PR&lt;10167,"AT" ,STRIKE_PR&gt;=10167 AND STRIKE_PR&lt;=10344,"OUT",1==1, NULL()) | where isnotnull(ty) </CODE></PRE> Thu, 10 Aug 2017 08:40:47 GMT https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361320#M106720 rjthibod 2017-08-10T08:40:47Z https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361321#M106721 <P>Hi,<BR /> Thanks for replying.<BR /> I got a part of solution from your answer!</P> Thu, 10 Aug 2017 10:09:53 GMT https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361321#M106721 shivi_tcs 2017-08-10T10:09:53Z https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361322#M106722 <P>Glad to hear you got it cleared up. Please award points or accept it as the answer if your issue is resolved.</P> Thu, 10 Aug 2017 10:15:49 GMT https://community.splunk.com/t5/Splunk-Search/can-we-use-field-name-for-comparison-in-case-statement/m-p/361322#M106722 rjthibod 2017-08-10T10:15:49Z