https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441388#M125391 <PRE><CODE>index=foo | eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...) | table User, Platform, AppVersion, Compliant </CODE></PRE> <P>Right now table looks like this. I have only checked if an AppVersion is on the Compliant list. <BR /> 12345| Windows | 14.8 | Ok<BR /> 56789| Mac | 12.8 | <BR /> 03468| iOS | 18.0 |<BR /> 97621| Android | 18.8 | </P> <P>However, I need to check certain AppVersions against the Platform. <BR /> I imagine it would need multiple if statements and multiple cases but not sure how to do this.<BR /> One of my failures looked something like:</P> <PRE><CODE>index=foo | eval Compliant=if(Platform=Windows, case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...),"NO") | table foo </CODE></PRE> <P>The goal would be to show something like this.<BR /> User | Platform | AppVersion | Compliant<BR /> 12345| Windows | 14.8 | Ok<BR /> 56789| Mac | 12.8 | Ok<BR /> 03468| iOS | 18.0 | Ok<BR /> 97621| Android | 18.8 | Ok<BR /> 97423| Windows | 13.8 | No<BR /> 32638| Mac | 11.0 | No<BR /> 08346| iOS | 17.0 | No<BR /> 43835| Android | 18.2 | No</P> <P>Thank you in advance, if you can help. </P> Fri, 31 Aug 2018 21:22:00 GMT nqjpm 2018-08-31T21:22:00Z https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441388#M125391 <PRE><CODE>index=foo | eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...) | table User, Platform, AppVersion, Compliant </CODE></PRE> <P>Right now table looks like this. I have only checked if an AppVersion is on the Compliant list. <BR /> 12345| Windows | 14.8 | Ok<BR /> 56789| Mac | 12.8 | <BR /> 03468| iOS | 18.0 |<BR /> 97621| Android | 18.8 | </P> <P>However, I need to check certain AppVersions against the Platform. <BR /> I imagine it would need multiple if statements and multiple cases but not sure how to do this.<BR /> One of my failures looked something like:</P> <PRE><CODE>index=foo | eval Compliant=if(Platform=Windows, case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...),"NO") | table foo </CODE></PRE> <P>The goal would be to show something like this.<BR /> User | Platform | AppVersion | Compliant<BR /> 12345| Windows | 14.8 | Ok<BR /> 56789| Mac | 12.8 | Ok<BR /> 03468| iOS | 18.0 | Ok<BR /> 97621| Android | 18.8 | Ok<BR /> 97423| Windows | 13.8 | No<BR /> 32638| Mac | 11.0 | No<BR /> 08346| iOS | 17.0 | No<BR /> 43835| Android | 18.2 | No</P> <P>Thank you in advance, if you can help. </P> Fri, 31 Aug 2018 21:22:00 GMT https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441388#M125391 nqjpm 2018-08-31T21:22:00Z https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441389#M125392 <P>I think a lookup should be used here!! Can you try on that lines, if you already know the conditions for Compliant? That way you can use a csv file for the true conditions of Compliant . <BR /> Your lookup should have User Platform AppVersion columns.</P> <P>basequery|lookup Compliant_condtions.csv User AS User, Platform AS Platform , columns AS columns OUTPUT Compliant<BR /> |fillnull value="No" Compliant ------ &gt; this will fill the Complaint values as "No" for the condition that dint match with the lookup</P> Fri, 31 Aug 2018 22:13:27 GMT https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441389#M125392 nadlurinadluri 2018-08-31T22:13:27Z https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441390#M125393 <P>@nqjpm,</P> <P>Try below query..<BR /> I have created with sample data . You can us the last eval with your main query.</P> <PRE><CODE> | makeresults | eval AppVersion=mvappend("14.12%","14.11%","14.10%","14.16%","14.00%") | mvexpand AppVersion | eval Platform= case(AppVersion == "14.00%", "Windows",AppVersion == "14.12%", "Windows",AppVersion == "14.16%","Mac",AppVersion == "14.12%", "iOS",AppVersion == "14.11%", "Windows",AppVersion == "14.11%", "Mac",AppVersion == "14.10%", "Windows",AppVersion == "14.10%", "Android") | eval Compliant=if(Platform="Windows" AND (AppVersion="14.12%" OR AppVersion="14.11%" OR AppVersion="14.10%" OR AppVersion="14.9%" OR AppVersion="14.8%"), "OK","NO" ) | table AppVersion Platform Compliant </CODE></PRE> <P>Thanks ..</P> Sat, 01 Sep 2018 05:22:49 GMT https://community.splunk.com/t5/Splunk-Search/Comparison-and-condition-function-help-Multiple-If-case-or-like/m-p/441390#M125393 Shan 2018-09-01T05:22:49Z