https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179012#M51539 <P>Hi Mark,<BR /> it had a typo, the double quote in front of End was superfluous</P> <PRE><CODE>...| eval PenatlyPoints=if(&lt;time&gt; &lt; &lt;timelimit&gt; ,if(match(_raw,".*End Program.*"), "1","100"), " ") </CODE></PRE> <P>sorry for the confusion.</P> <P>The match function returns true only if the filed contains a value which is matched by the regular expression, in the example above it will be true if the string <STRONG>End Program</STRONG> is found somewhere in the field _raw (the complete event)</P> Thu, 08 Jan 2015 12:14:07 GMT FritzWittwer_ol 2015-01-08T12:14:07Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179007#M51534 <P>Hello,<BR /> We have a nested IF structure and we want to use it to assign a value to a field called PenaltyPoints1</P> <P>Firstly it checks to see if the current time meets the required minimum time, if that's true then it should search for the phrase "End Program" and if it finds it, PenaltyPoints1 should be set a value of 0, if it cannot find it, then it should be assigned a value of 100. </P> <P>Thanks</P> Thu, 08 Jan 2015 10:59:52 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179007#M51534 markthompson 2015-01-08T10:59:52Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179008#M51535 <P>you can nest ifs just like any other function, e.g.</P> <PRE><CODE>...| eval PenatlyPoints=if(&lt;time&gt; &lt; &lt;timelimit&gt; ,if(match(&lt;field&gt;,".*"End Program.*"), "1","100"), " ") </CODE></PRE> <P>see also <A href="http://docs.splunk.com/Documentation/Splunk/6.1.5/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.1.5/SearchReference/CommonEvalFunctions</A></P> Thu, 08 Jan 2015 11:50:28 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179008#M51535 FritzWittwer_ol 2015-01-08T11:50:28Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179009#M51536 <P>Hi FritzWittwer,<BR /> Unfortunately, the "End Program" isn't in a field, it's in the content of the Event.</P> <P>Thanks for the quick response.</P> Thu, 08 Jan 2015 11:58:38 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179009#M51536 markthompson 2015-01-08T11:58:38Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179010#M51537 <P>Hi Mark,<BR /> in this case you can just use the filed named <CODE>_raw</CODE> this contains the whole raw event data.</P> <P>Fritz</P> Thu, 08 Jan 2015 12:01:56 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179010#M51537 FritzWittwer_ol 2015-01-08T12:01:56Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179011#M51538 <P>It also appears to error with "Unbalanced Quotes", can you use "event" as a field? Also, Could you explain the match(field, ".<EM>"End Program.</EM>" as it seems to me you're searching for "End Program" as opposed to End Program</P> Thu, 08 Jan 2015 12:05:28 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179011#M51538 markthompson 2015-01-08T12:05:28Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179012#M51539 <P>Hi Mark,<BR /> it had a typo, the double quote in front of End was superfluous</P> <PRE><CODE>...| eval PenatlyPoints=if(&lt;time&gt; &lt; &lt;timelimit&gt; ,if(match(_raw,".*End Program.*"), "1","100"), " ") </CODE></PRE> <P>sorry for the confusion.</P> <P>The match function returns true only if the filed contains a value which is matched by the regular expression, in the example above it will be true if the string <STRONG>End Program</STRONG> is found somewhere in the field _raw (the complete event)</P> Thu, 08 Jan 2015 12:14:07 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179012#M51539 FritzWittwer_ol 2015-01-08T12:14:07Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179013#M51540 <P>Hi FritzWittwer, <BR /> Thanks for that, I've changed the 1 to a 0 as they should not receive any penaltypoints for finishing the job at the right time. </P> <P>I'll mark it as the answer now, but first would you mind converting your comment to an answer?</P> Thu, 08 Jan 2015 12:31:07 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179013#M51540 markthompson 2015-01-08T12:31:07Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179014#M51541 <P>Hi Mark,<BR /> so the final solution is</P> <PRE><CODE>...| eval PenaltyPoints=if(&lt;time&gt; &lt; &lt;timelimit&gt; ,if(match(_raw,".*End Program.*"), "0","100"), " ") </CODE></PRE> <P>of course <STRONG>time</STRONG> and <STRONG>timelimit</STRONG> are just placeholders</P> <P>Fritz</P> Thu, 08 Jan 2015 12:35:55 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179014#M51541 FritzWittwer_ol 2015-01-08T12:35:55Z https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179015#M51542 <P>Hi FtizWittwer, Don't suppose you know anything about eventstats. </P> <P><A href="http://answers.splunk.com/answers/208180/eventstats-count-function.html">http://answers.splunk.com/answers/208180/eventstats-count-function.html</A></P> Thu, 08 Jan 2015 13:26:09 GMT https://community.splunk.com/t5/Splunk-Search/Nested-IF-Structure-Assign-Values/m-p/179015#M51542 markthompson 2015-01-08T13:26:09Z