https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612247#M212871 <P>Thanks Yuanliu.</P><P>Can the IF function be nested in the event we have multiple conditions?</P><P>&nbsp;</P><P>Regards,</P><P>Mark</P><P>&nbsp;</P> Wed, 07 Sep 2022 11:05:56 GMT mark_cet 2022-09-07T11:05:56Z https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612116#M212825 <P>We have alert events coming into Splunk &amp; Splunk ITSI that we open Service Now incidents for, but depending on the event contents the incident will need to be routed to different teams.</P><P>An example scenario is, if the alert comes from server A then set the Service Now assignment group to team A, alerts from all other servers should go to team B.</P><P>We will have many of these scenarios in our environment, what is the best way to do this?</P><P>&nbsp;</P><P>Thanks in advance!</P> Tue, 06 Sep 2022 15:49:49 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612116#M212825 mark_cet 2022-09-06T15:49:49Z https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612243#M212869 <P>I think you are looking for the&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#if.28X.2CY.2CZ.29" target="_blank" rel="noopener">if</A> function, not a wildcard solution.</P><P>Suppose you have a lookup table ServiceNowAssign like the following</P><TABLE border="1" width="34.89583333333333%"><TBODY><TR><TD width="17.11788598612362%">Server</TD><TD width="22.979484283832107%">Team</TD></TR><TR><TD width="17.11788598612362%">A</TD><TD width="22.979484283832107%">Team A</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>You can set up a search like this</P><LI-CODE lang="markup">(your alert condition) | lookup ServiceNowAssign Server | eval assignTo = if(isnull(Team), "Team B", Team)</LI-CODE> Wed, 07 Sep 2022 10:50:22 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612243#M212869 yuanliu 2022-09-07T10:50:22Z https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612247#M212871 <P>Thanks Yuanliu.</P><P>Can the IF function be nested in the event we have multiple conditions?</P><P>&nbsp;</P><P>Regards,</P><P>Mark</P><P>&nbsp;</P> Wed, 07 Sep 2022 11:05:56 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612247#M212871 mark_cet 2022-09-07T11:05:56Z https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612344#M212900 <P>Ah, for that, you want to use&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#case.28X.2C.22Y.22.2C....29" target="_blank" rel="noopener">case</A>&nbsp;function instead of nesting if()s. (Yes, you can nest to your heart's content.)</P> Thu, 08 Sep 2022 02:31:40 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612344#M212900 yuanliu 2022-09-08T02:31:40Z https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612425#M212932 <P>Thanks again yuanliu!</P> Thu, 08 Sep 2022 13:49:33 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-use-catch-alls-wildcards-in-Splunk-lookups-if-an-exact/m-p/612425#M212932 mark_cet 2022-09-08T13:49:33Z