https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514590#M144441 <P>what's the logs.<BR />your regex is not good.</P> Tue, 18 Aug 2020 05:13:54 GMT to4kawa 2020-08-18T05:13:54Z https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514588#M144440 <P>Heres what i'm trying to accomplish:&nbsp;<BR /><BR />requestID&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;status<BR />123456&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;errored<BR />321654&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Success<BR />789456&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;errored<BR /><BR />I'm Newbie, Maybe i'm going about this all wrong, and there maybe another way....but i don't think so based on what info i have. but heres what i got so far. I'm probably over-thinking this.&nbsp;<BR /><BR />index=someindex sourcetype=sometype "request syntax" OR "error syntax" OR "success syntax"<BR />| rex field=_raw "request id: '(?&lt;requestID&gt;\d+)',\text"<BR />| rex field=_raw ".*(?&lt;error&gt;Error response received)\stext"<BR />| rex field=_raw ".*(?&lt;Success&gt;Database request executed):\stext"<BR />| eval requestID =if(requestID=(error),"Errored", "Success")<BR /><BR /><BR /></P> Tue, 18 Aug 2020 04:24:01 GMT https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514588#M144440 codichulo 2020-08-18T04:24:01Z https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514590#M144441 <P>what's the logs.<BR />your regex is not good.</P> Tue, 18 Aug 2020 05:13:54 GMT https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514590#M144441 to4kawa 2020-08-18T05:13:54Z https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514592#M144443 <P>There are a couple of oddities/errors in your query, e.g. there is no 's' after the \ in the request ID rex statement and the if statement would not need the () round error, however, it depends on your data as to what your query should look like - can you provide a sample?</P><P>However,&nbsp; from your example query, this might be better (I have removed the trailing data outside the field capture group</P><LI-CODE lang="markup">index=someindex sourcetype=sometype "request syntax" OR "error syntax" OR "success syntax" | rex field=_raw "request id: '(?&lt;requestID&gt;\d+)'" | rex field=_raw ".*(?&lt;error&gt;Error response received)" | rex field=_raw ".*(?&lt;Success&gt;Database request executed)" | eval status=if(requestID=error,"Errored", "Success")</LI-CODE><P>this is assuming that the rex statement extracting the field 'error' will give the same value as the requestID field. What is your intention with Success field extraction&nbsp;</P> Tue, 18 Aug 2020 05:16:31 GMT https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514592#M144443 bowesmana 2020-08-18T05:16:31Z https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514697#M144473 <P>oh sorry, the rex statements are working fine, i just removed identifiable info to make them look generic, and in doing so made them look in error.&nbsp;</P><P>it was the eval statement that i couldn't get to work right. I'll try your suggestion. Thanks so much.&nbsp;</P><P>&nbsp;</P> Tue, 18 Aug 2020 13:21:40 GMT https://community.splunk.com/t5/Splunk-Search/If-Then-Conditional/m-p/514697#M144473 codichulo 2020-08-18T13:21:40Z