https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590576#M205614 <P>Try putting the field names with hyphens in in single quotes - something like this (or use fieldnames without hyphens!)</P><LI-CODE lang="markup">table hqid, httpStatus | eval status-success=if(httpStatus="200",1,0) | eval status-fail= if(httpStatus != "200",1,0) | stats sum(status-success) as status-success, sum(status-fail) as status-fail by hqid | eval status = case('status-fail' = 0 AND 'status-success' &gt; 0, "successful-logins", 'status-fail' &gt; 0 AND 'status-success' &gt; 0, "multi-success", 'status-fail' &gt; 0 AND 'status-success'=0, "multi-fail", 'status-fail' &gt; 0, "fail",1=1,"Others")</LI-CODE> Thu, 24 Mar 2022 06:43:04 GMT ITWhisperer 2022-03-24T06:43:04Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590562#M205606 <P>Hi,</P> <P>I am trying to use <STRONG>case</STRONG> keyword to solve a multiple nested statement &nbsp;but it is just giving me output for the else value, it seems like it is not going inside any other statement to check, Could anyone please help me here. I tired using multiple if statement with eval still I was having the same issue.</P> <P>Problem statement : I want to compare the value of status-fail and status-success and on the basis of that we need to generate the output</P> <P>case1 : if value of status-fail =0 and status-success&gt;0 ---&gt; successful logins</P> <P>case2:&nbsp;if value of status-fail &gt;0 and status-success&gt;0 ---&gt; &nbsp;multi-successful logins</P> <P>case3:&nbsp;if value of status-fail &gt;0 and status-success=0 ---&gt; multi-fail</P> <P>case4:&nbsp;if value of status-fail &gt;0 &nbsp;---&gt; fail logins</P> <P>Below is the query what I am using :</P> <P>table hqid, httpStatus | eval status-success=if(httpStatus="200",1,0) | eval status-fail= if(httpStatus != "200",1,0)<BR />| stats sum(status-success) as status-success, sum(status-fail) as status-fail by hqid | eval status = case(status-fail = 0 AND status-success &gt; 0, "successful-logins", status-fail &gt; 0 AND status-success &gt; 0, "multi-success", status-fail &gt; 0 AND status-success=0, "multi-fail", status-fail &gt; 0, "fail",1=1,"Others")</P> Thu, 24 Mar 2022 15:14:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590562#M205606 anu1729 2022-03-24T15:14:34Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590576#M205614 <P>Try putting the field names with hyphens in in single quotes - something like this (or use fieldnames without hyphens!)</P><LI-CODE lang="markup">table hqid, httpStatus | eval status-success=if(httpStatus="200",1,0) | eval status-fail= if(httpStatus != "200",1,0) | stats sum(status-success) as status-success, sum(status-fail) as status-fail by hqid | eval status = case('status-fail' = 0 AND 'status-success' &gt; 0, "successful-logins", 'status-fail' &gt; 0 AND 'status-success' &gt; 0, "multi-success", 'status-fail' &gt; 0 AND 'status-success'=0, "multi-fail", 'status-fail' &gt; 0, "fail",1=1,"Others")</LI-CODE> Thu, 24 Mar 2022 06:43:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590576#M205614 ITWhisperer 2022-03-24T06:43:04Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590584#M205620 <P>Thank you , its working now.</P> Thu, 24 Mar 2022 07:01:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-nested-case-statements-with-eval/m-p/590584#M205620 anu1729 2022-03-24T07:01:31Z