https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537026#M151809 <P>Does this help?</P><LI-CODE lang="markup">index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | lookup ONMS_nodes.csv nodelabel OUTPUT sitecode | table sitecode, nodelabel, Status,Time | where match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT")</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 10:41:43 GMT renjith_nair 2021-01-25T10:41:43Z https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537022#M151808 <P>Hi All,</P><P>need help in my query, formatting an IF statement.</P><P><U><STRONG>My Code:&nbsp;</STRONG></U></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | lookup ONMS_nodes.csv nodelabel OUTPUT sitecode | table sitecode, nodelabel, Status,Time</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><U><STRONG>My Output:&nbsp;</STRONG></U></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="18.838709677419356%">sitecode</TD><TD width="38.32258064516129%">nodelabel</TD><TD width="13.806451612903226%">Status</TD><TD width="28.903225806451616%">Time</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMLANCCO1</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/23/2021 14:35</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMLANCUA1</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/23/2021 8:26</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMLANCUA2</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/23/2021 8:25</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMWANRTC1</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/23/2021 8:25</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMLANCUA3</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/23/2021 8:25</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMLANCUA4</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/23/2021 8:25</TD></TR><TR><TD width="18.838709677419356%">ABM</TD><TD width="38.32258064516129%">ARABMAPNOPT1</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/19/2021 13:37</TD></TR><TR><TD width="18.838709677419356%">ZBQ</TD><TD width="38.32258064516129%">BRZBQLANCUA1</TD><TD width="13.806451612903226%">Up</TD><TD width="28.903225806451616%">1/19/2021 13:37</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Above table am getting from my code.</P><P><U><STRONG>Requirement :&nbsp;</STRONG></U></P><P>I want to list down all devices from that sitecode which have any of these name&nbsp;("*WANRTC*" OR "*LANCCO*" OR "*WLNWLC*"OR "*APNINT*") these keyword in nodelabel. rest all site code should be removed from the list.</P><P>&nbsp;</P><P>In my output. Am having ABM site which matches any of that Keyword and that to be displayed, where as ZBQ doesnt have any of that keyword devices in the list, so it should be removed.</P><P>like and IF ("*WANRTC*" OR "*LANCCO*" OR "*WLNWLC*"OR "*APNINT*")&nbsp; any of this present in device names, then the complete list to be displayed.&nbsp;</P><P>&nbsp;</P> Mon, 25 Jan 2021 10:30:26 GMT https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537022#M151808 jerinvarghese 2021-01-25T10:30:26Z https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537026#M151809 <P>Does this help?</P><LI-CODE lang="markup">index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | lookup ONMS_nodes.csv nodelabel OUTPUT sitecode | table sitecode, nodelabel, Status,Time | where match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT")</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 10:41:43 GMT https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537026#M151809 renjith_nair 2021-01-25T10:41:43Z https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537030#M151810 <P>This is filtering only devices which have&nbsp;"WANRTC|LANCCO|WLNWLC|APNINT". rest all devices from that site removed. I want other devices also from that site including the above one.<BR /><BR /></P> Mon, 25 Jan 2021 11:03:09 GMT https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537030#M151810 jerinvarghese 2021-01-25T11:03:09Z https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537046#M151811 <P>alright,</P><P>Try</P><LI-CODE lang="markup">index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | lookup ONMS_nodes.csv nodelabel OUTPUT sitecode | table sitecode, nodelabel, Status,Time | eventstats values(eval(if(match(nodelabel,"WANRTC|LANCCO|WLNWLC|APNINT"),1,null()))) as isPresent by app | where isPresent == 1</LI-CODE><P>&nbsp;</P> Mon, 25 Jan 2021 12:37:27 GMT https://community.splunk.com/t5/Splunk-Search/IF-Statement-customized-EVAL/m-p/537046#M151811 renjith_nair 2021-01-25T12:37:27Z