https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575305#M200476 <P><SPAN>|eval SNOW_Description=case(EMGC_ADMINSERVER_Status!="k1","Java Process EMGC_ADMINSERVER data not available in splunk on host, EMGC_ORACLE_Status!="k2","Java Process EMGC_ORACLE data not available in splunk on host)</SPAN></P><P>&nbsp;</P><P><SPAN>In the above query, I am getting the output if the first condition&nbsp;EMGC_ADMINSERVER_Status!="k1" is met.</SPAN></P><P><SPAN>I am expecting to get the output when both conditions&nbsp;EMGC_ADMINSERVER_Status!="k1 and&nbsp;EMGC_ORACLE_Status!="k2" are met.</SPAN></P> Wed, 17 Nov 2021 17:33:09 GMT manjunath_0208 2021-11-17T17:33:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575301#M200472 <P><SPAN>|eval SNOW_Description=case(EMGC_ADMINSERVER_Status!="k1","Java Process EMGC_ADMINSERVER data not available in splunk on host, EMGC_ORACLE_Status!="k2","Java Process EMGC_ORACLE data not available in splunk on host)</SPAN></P><P>&nbsp;</P><P><SPAN>Here I am trying to use multiple fields inside case statement. I am not getting correct output. How can this be achieved?</SPAN></P> Wed, 17 Nov 2021 16:50:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575301#M200472 manjunath_0208 2021-11-17T16:50:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575302#M200473 <P>What output are you getting and what output do you expect?&nbsp; The title of the post says "multi valued field", but the body says "multiple fields".&nbsp; That's two different things so which is the case?&nbsp; The latter is commonplace and should work easily, whereas the former requires one or more mv* functions.</P><P>That looks like it should work once the quotation marks are matched up.</P> Wed, 17 Nov 2021 16:58:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575302#M200473 richgalloway 2021-11-17T16:58:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575305#M200476 <P><SPAN>|eval SNOW_Description=case(EMGC_ADMINSERVER_Status!="k1","Java Process EMGC_ADMINSERVER data not available in splunk on host, EMGC_ORACLE_Status!="k2","Java Process EMGC_ORACLE data not available in splunk on host)</SPAN></P><P>&nbsp;</P><P><SPAN>In the above query, I am getting the output if the first condition&nbsp;EMGC_ADMINSERVER_Status!="k1" is met.</SPAN></P><P><SPAN>I am expecting to get the output when both conditions&nbsp;EMGC_ADMINSERVER_Status!="k1 and&nbsp;EMGC_ORACLE_Status!="k2" are met.</SPAN></P> Wed, 17 Nov 2021 17:33:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575305#M200476 manjunath_0208 2021-11-17T17:33:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575306#M200477 <P>Case is evaluated from the left until a condition is met.</P><P>So if the first condition is met, subsequent ones are not evaluated. You might want to rethink your conditions/evaluation order.</P> Wed, 17 Nov 2021 17:59:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-NOT-match-condition-in-Case-statement-for-Multi/m-p/575306#M200477 PickleRick 2021-11-17T17:59:17Z