https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546744#M155001 <P>Thank you&nbsp;<SPAN class=""><A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168" target="_self">ITWhisperer</A>,</SPAN></P><P><SPAN class="">But I am getting error in compile:<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13613i2F08A5CC6E3E8539/image-size/large?v=v2&amp;px=999" role="button" title="error.PNG" alt="error.PNG" /></span></P><P>&nbsp;</P> Mon, 05 Apr 2021 19:03:54 GMT alex5441 2021-04-05T19:03:54Z https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546732#M154995 <P>Hi,</P><P>My logs are in following format:</P><P>{[-]</P><P>logger: .......</P><P>message: ..........</P><P>severity: Error</P><P>}</P><P>{[-]</P><P>exception: .........</P><P>logger: .......</P><P>message: ..........</P><P>severity: Error</P><P>}</P><P>my query is :</P><P>........| rex "\"exception\":\"(&lt;ErrorMsg&gt;.*?)\"" | table Application, ErrorMsg</P><P>&nbsp;</P><P>The issue:</P><P>As some app logs have key "message" and some logs have both "exception" and "message".</P><P>How can I change my query that first it checks if there is key exception, if it does get the value of that key. If there is no Key exception check if there is key "message", if it does get the value of that.</P><P>My current query is able to get the value of exception (if I change exception to message, it gets the value of message. But trying to implement IF or CASE condition here)&nbsp;</P> Mon, 05 Apr 2021 17:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546732#M154995 alex5441 2021-04-05T17:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546737#M154999 <P>Try something like:</P><LI-CODE lang="markup">| rex "(\"exception\":\"(?&lt;ErrorMsg&gt;.*?)\"|\"message\":\"(?&lt;Message&gt;.*?)\")"</LI-CODE> Mon, 05 Apr 2021 18:17:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546737#M154999 ITWhisperer 2021-04-05T18:17:53Z https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546744#M155001 <P>Thank you&nbsp;<SPAN class=""><A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168" target="_self">ITWhisperer</A>,</SPAN></P><P><SPAN class="">But I am getting error in compile:<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13613i2F08A5CC6E3E8539/image-size/large?v=v2&amp;px=999" role="button" title="error.PNG" alt="error.PNG" /></span></P><P>&nbsp;</P> Mon, 05 Apr 2021 19:03:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546744#M155001 alex5441 2021-04-05T19:03:54Z https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546747#M155002 <P>Try with different names as in my example</P> Mon, 05 Apr 2021 19:26:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Use-IF-or-Case-condition/m-p/546747#M155002 ITWhisperer 2021-04-05T19:26:21Z