https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192745#M55426 <P>This would probably work too. The match statement did the trick as well. Thanks for the comment!</P> Tue, 18 Mar 2014 22:47:06 GMT daviduslan 2014-03-18T22:47:06Z https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192742#M55423 <P>Hello,</P> <P>I have the following situation that I was hoping to use nested if's to solve. We have a series of errors that are only actionable if they appear over a period of time. Many of the errors share similar messages, so I was hoping to use wildcards to capture them all. Unfortunately, wildcards don't appear to work in if statements, so I was wondering if anyone with more experience (I'm a huge noob) could point me towards a better method that accomplishes the same goal. Here is my current query:</P> <PRE>index=echelon sourcetype=echelon_error | eval error_type=if( message="Redis search failure*", "Search Failure", (if(message="PHP Fatal error:*", "PHP Fatal Errors", (if(message="sendsoaprequest failed*", "Soap Request Failed", (if(message="*Maximum execution time of 600 seconds exceeded*", "Max Execution Exceeded", (if(message="*Error creating performer_profile entry*", "Performer Profile Entry Error", (if(message="*exception='foo*", "MainController Failure", (if(program="/sync-staging.pl", "Staging Sync Error", ""))))))))))))) | Where error_type !="" | bucket _time span=1h | stats count AS program_count by program, error_type, _time | stats count AS program_occurred_in_x_different_hours, sum(program_count) AS error_occurrences_total by program, error_type | where program_occurred_in_x_different_hours &gt; 1</PRE> Tue, 18 Mar 2014 17:41:36 GMT https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192742#M55423 daviduslan 2014-03-18T17:41:36Z https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192743#M55424 <P>Found the solution, OK to ignore this. Used match within the if.</P> <PRE>if( match(message, ".*PHP Fatal error:*."), "PHP Fatal Errors", (if</PRE> Tue, 18 Mar 2014 18:08:31 GMT https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192743#M55424 daviduslan 2014-03-18T18:08:31Z https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192744#M55425 <P>Perhaps a case statement would help.</P> <PRE><CODE>eval error_type=case (message like "Redis search failure%", "Search Failure", message like "PHP Fatal error:%", "PHP Fatal Errors", message like "sendsoaprequest failed%", "Soap Request Failed", message "%Maximum execution time of 600 seconds exceeded%", "Max Execution Exceeded", message like "%Error creating performer_profile entry%", "Performer Profile Entry Error", message like "%exception='foo%", "MainController Failure", program="/sync-staging.pl", "Staging Sync Error") | Where error_type NOT NULL | ... </CODE></PRE> Tue, 18 Mar 2014 18:15:00 GMT https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192744#M55425 richgalloway 2014-03-18T18:15:00Z https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192745#M55426 <P>This would probably work too. The match statement did the trick as well. Thanks for the comment!</P> Tue, 18 Mar 2014 22:47:06 GMT https://community.splunk.com/t5/Splunk-Search/Need-alternative-to-nested-if-s-wildcard-for-time-sensitive/m-p/192745#M55426 daviduslan 2014-03-18T22:47:06Z