https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361937#M106933 <P>converted to answer, if it worked for you, please accept it and mark as answered</P> Fri, 11 Aug 2017 13:07:54 GMT adonio 2017-08-11T13:07:54Z https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361932#M106928 <P>Hi,</P> <P>Struggling to complete an Eval Case syntax. I want to create a situation where I have a new field called provider based on certain criteria.</P> <P>Provider: <BR /> XYZ (if D1_Code equals X and current team does not equal <EM>ABC</EM> or <EM>DEF</EM>)<BR /> ABC (if current team equals <EM>ABC</EM>) - wildcards needed as there are variants of ABC<BR /> DEF (if current team equals <EM>DEF</EM>) - wildcards needed as there are variants of DEF</P> <P>Search string is | eval Provider=case(D1_Code="X" AND Current_Team!="<EM>ABC</EM>" AND Current_Team!="<EM>DEF</EM>", "XYZ", Current_Team="<EM>ABC</EM>", "ABC", Current_Team="<EM>DEF</EM>", "DEF")</P> <P>The first part of the eval works on it's own but when I try and add criteria for ABC and DEF it will not work. <BR /> Provider=case(D1_Code="X" AND Current_Team!="<EM>ABC</EM>" AND Current_Team!="<EM>DEF</EM>")</P> <P>Could anyone please advice? Not sure if case is the right thing to use here.</P> <P>Thanks in advance</P> Tue, 29 Sep 2020 15:18:20 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361932#M106928 jackreeves 2020-09-29T15:18:20Z https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361933#M106929 <P>great answer here:<BR /> <A href="https://answers.splunk.com/answers/170602/how-would-i-use-eval-with-a-wildcard-to-create-a-c.html">https://answers.splunk.com/answers/170602/how-would-i-use-eval-with-a-wildcard-to-create-a-c.html</A></P> Thu, 10 Aug 2017 17:58:44 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361933#M106929 adonio 2017-08-10T17:58:44Z https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361934#M106930 <P>How about you change the order, like this...</P> <PRE><CODE>....| eval Provider=case(Current_Team="ABC", "ABC", Current_Team="DEF", "DEF",D1_Code="X", "XYZ") </CODE></PRE> <P>Also, if you want to match with wildcards (you need to provide actual sample values for better suggestions), try this</P> <PRE><CODE>....| eval Provider=case(match(Current_Team,"ABC"), "ABC", match(Current_Team,"DEF"), "DEF",D1_Code="X", "XYZ") </CODE></PRE> Thu, 10 Aug 2017 18:03:06 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361934#M106930 somesoni2 2017-08-10T18:03:06Z https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361935#M106931 <P>This works for me: <CODE>| makeresults | eval D1_Code="X", Current_Team="DEF" | eval Provider=case( (D1_Code="X" AND Current_Team!="ABC" AND Current_Team!="DEF"), "XYZ", Current_Team="ABC", "ABC", Current_Team="DEF", "DEF")</CODE></P> Thu, 10 Aug 2017 18:04:19 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361935#M106931 s2_splunk 2017-08-10T18:04:19Z https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361936#M106932 <P>Brilliant - this solved the issue!</P> <P>Many thanks</P> Fri, 11 Aug 2017 08:14:22 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361936#M106932 jackreeves 2017-08-11T08:14:22Z https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361937#M106933 <P>converted to answer, if it worked for you, please accept it and mark as answered</P> Fri, 11 Aug 2017 13:07:54 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Case-Formula/m-p/361937#M106933 adonio 2017-08-11T13:07:54Z