topic Re: If Statment or Nested If in Splunk Search

If Statment or Nested If

hartfoml — Mon, 28 Sep 2020 09:41:14 GMT

This statement works:
| eval Reason = if (Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")

But how to I evaluate it so that reason can be something different for different codes.

I tried this and it did not work:
| eval Reason = if (Failure_Code = "0x18", "Usually means bad password","(if (Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")")

Is there any way to use "OR" maybe nesting the "if" in the not true section like I did above maybe several eval statements but that didn’t work either.

Re: If Statment or Nested If

Ayn — Fri, 17 Jun 2011 16:46:14 GMT

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

Re: If Statment or Nested If

hartfoml — Mon, 28 Sep 2020 09:41:17 GMT

Thanks Ayn

I tried this case statment:
| eval Reason = case(Failure_Code == 0x18, "Usually means bad password",Failure_Code == 0x12, "Account disabled, expired, locked out, logon hours","Don't_Know")

but I most have the syntax wrong as it did not work.

Re: If Statment or Nested If

Ayn — Fri, 17 Jun 2011 17:31:09 GMT

You forgot to put a statement to evaluate before "Don't_Know". Put something like 1=1 in there and it should work.

Re: If Statment or Nested If

hartfoml — Fri, 17 Jun 2011 17:31:41 GMT

I put "" around the error code number "0x18" and it worked. thanks for the help this fixes it for me.

Re: If Statment or Nested If

Skeeve — Wed, 22 Feb 2012 12:31:04 GMT

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

Alternatively one can use the coalesce function:

| eval Reason = coalesce( case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours"), "Don't know")

Re: If Statment or Nested If

hartfoml — Wed, 22 Feb 2012 14:18:17 GMT

thanks this is a great addon to the case statment for when the value is not known

Re: If Statment or Nested If

rbrownlee — Tue, 08 Apr 2014 12:52:15 GMT

You may use multiple IF statements in the same eval, just remember to close them all.

For example:
| eval StartNum = if (
substr(TwitterID,1,1) = "0", 0,
if(substr(TwitterID,1,1) = "1", 1,
if(substr(TwitterID,1,1) = "2", 2,
if(substr(TwitterID,1,1) = "3", 3,
"over 3"
))))

Re: If Statment or Nested If

ECovell — Tue, 15 Apr 2014 12:18:21 GMT

Ayn...you are such an amazing help!!

Re: If Statment or Nested If

stephane_cyrill — Sun, 26 Apr 2015 20:20:42 GMT

simply .......

Re: If Statment or Nested If

rfiscus — Mon, 02 Nov 2015 18:45:17 GMT

Thanks, that got it for me.

Re: If Statment or Nested If

bagarwal — Tue, 31 May 2016 12:28:03 GMT

Thanks a lot!! It helps 🙂

Re: If Statment or Nested If

TonyLeeVT — Sat, 04 Aug 2018 17:46:50 GMT

Thank you for answering the nested if statement question instead of proposing a case statement. The colorPalette expression option does not appear to like case statements.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

However, your nested if option worked great. For example:

<colorPalette type="expression">if(value LIKE "Server 2003", "#00cc00", if(value LIKE "Windows 10","#00cc00","#D93F3C"))</colorPalette>

Re: If Statment or Nested If

niketn — Sat, 04 Aug 2018 18:27:15 GMT

@TonyLeeVT thanks for sharing this hidden nugget! I thought Simple XML JS extesion was the only way for this scenario 🙂

Re: If Statment or Nested If

yvassilyeva — Thu, 27 Aug 2020 13:20:45 GMT

HI! It seems like you might see where i am having trouble with the if statement. Thank you in advance!

I have a field called Status, and once of the values is called Queue. I want to replace the word Queue with either Risk or Missed - that is dependent on another field called Dep. So if Dep=Risk, then the Queue value should be renamed Risk, and if Dep=Missed, then Queue value should be renamed as Missed. Here is my search:

| eval Status = if(Status="Queue", (case(Dep="RISK", RISK), (Dep="MISSED", MISSED)))