https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690567#M235182 <P>Is it possible to action multiple operations in a single if condition, like what can be done in other languages?<BR /><BR />For example, in other scripting languages this can be done:</P><P>&nbsp;</P><LI-CODE lang="markup">if(field==1){ group=group+1; groups=groups+","+group; } else { //this is a comment, do nothing }</LI-CODE><P>&nbsp;</P><P>How can this be done in splunk?</P> Wed, 12 Jun 2024 23:00:58 GMT cjohnk 2024-06-12T23:00:58Z https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690567#M235182 <P>Is it possible to action multiple operations in a single if condition, like what can be done in other languages?<BR /><BR />For example, in other scripting languages this can be done:</P><P>&nbsp;</P><LI-CODE lang="markup">if(field==1){ group=group+1; groups=groups+","+group; } else { //this is a comment, do nothing }</LI-CODE><P>&nbsp;</P><P>How can this be done in splunk?</P> Wed, 12 Jun 2024 23:00:58 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690567#M235182 cjohnk 2024-06-12T23:00:58Z https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690569#M235183 <P>You can't do block ifs in Splunk, so you have to do all conditionals inside the <STRONG>| eval x=if(...) </STRONG>construct</P> Wed, 12 Jun 2024 23:29:28 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690569#M235183 bowesmana 2024-06-12T23:29:28Z https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690570#M235184 <P>Short answer is no.</P><P>Splunk SPL is not a procedural language (like some other languages). Essentially, the if function can be used to modify what is assigned by an eval command to a new or existing field in the event, although you can have multiple assignments in the same eval command e.g. | eval a=value1, b=value2</P> Wed, 12 Jun 2024 23:31:14 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690570#M235184 ITWhisperer 2024-06-12T23:31:14Z https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690581#M235187 <P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;said, SPL is not a procedural language and does not provide code block. &nbsp;I do understand the semantic clarity, and maintainability of a code block. &nbsp;So, I am going to use the specifics in your sample to give a very silly "block".</P><P>Obviously I have no idea what values are in field, group and groups. &nbsp;So I made something up, with the constraint that group be numeric.</P><TABLE><TBODY><TR><TD>field</TD><TD>group</TD><TD>groups</TD></TR><TR><TD>0</TD><TD>10</TD><TD>10</TD></TR><TR><TD>1</TD><TD>20</TD><TD>30</TD></TR><TR><TD>2</TD><TD>30</TD><TD>60</TD></TR></TBODY></TABLE><P>The following will read like a block:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval bingo = if(field == 1, mvrange(group, group+1), null()) | foreach bingo mode=multivalue [eval group = &lt;&lt;ITEM&gt;&gt; + 1, groups = groups . "," . &lt;&lt;ITEM&gt;&gt;]</LI-CODE><P>&nbsp;</P><P>and the output is equivalent to your block code</P><TABLE width="133px"><TBODY><TR><TD>field</TD><TD>group</TD><TD>groups</TD></TR><TR><TD width="40px">0</TD><TD width="40px">10</TD><TD width="52.515625px">10</TD></TR><TR><TD width="40px">1</TD><TD width="40px">21</TD><TD width="52.515625px">30,20</TD></TR><TR><TD width="40px">2</TD><TD width="40px">30</TD><TD width="52.515625px">60</TD></TR></TBODY></TABLE><P>Is that code block? Not really. &nbsp;Does it achieve semantic clarity? &nbsp;Questionable. &nbsp;But you are not repeating condition evaluation.</P><P>Also, if maintainability is super important, you can also do something like</P><P>&nbsp;</P><LI-CODE lang="markup">| tojson group groups | eval _raw = if(field == 1, json_set(_raw, "group", group + 1, "groups", groups . "," . group), _raw) | fields - group groups | spath</LI-CODE><P>&nbsp;</P><P>In a roundabout way, this has the true spirit of a code block.</P><P>The above mock data is produced with the following:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults format=csv data="field, group 0, 10 1, 20 2, 30" | streamstats sum(group) as groups ``` data emulation above ```</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 13 Jun 2024 06:34:33 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-operations-from-a-single-if-condition/m-p/690581#M235187 yuanliu 2024-06-13T06:34:33Z