topic Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277061#M83561 <P>There's no "you should use eval case", it's a preference in my humble opinion.</P> <P>Did you try my search?</P> Mon, 31 Oct 2016 14:17:13 GMT jkat54 2016-10-31T14:17:13Z How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277055#M83555 <P>Hi all.</P> <P>I have a ruleset like this:</P> <PRE><CODE>MODEL_NUMBER1 AND BTT = SUBTYPE1 MODEL_NUMBER2 AND CTT = SUBTYPE2 MODEL_NUMBER3 AND RTT = SUBTYPE3 MODEL_NUMBER4 AND PTT = SUBTYPE4 </CODE></PRE> <P>My dataset has the MODEL_NUMBER value in 5 fields (<CODE>IP_TYPE1...IP_TYPE5</CODE>) and the other value in the field <CODE>IP_KIND</CODE>.</P> <P>I need to produce a resulting field with the same logic in a new field. I am doing something like this:</P> <PRE><CODE>sourcetype=temp | eval RESULTING_FIELD = if(IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1" AND IP_KIND == "BTT", "SUBTYPE1", "OTHER") </CODE></PRE> <P>Works fine for the first subtype, but how I can produce a complete sentence with all fields? I tried with case without success (no OTHER).</P> <P>Thanks!</P> Tue, 29 Sep 2020 11:34:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277055#M83555 changux 2020-09-29T11:34:39Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277056#M83556 <PRE><CODE>See if this works: (put those ORs in parenthesis) sourcetype=temp | eval RESULTING_FIELD = if((IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1") AND IP_KIND == "BTT", "SUBTYPE1", "OTHER") </CODE></PRE> Sun, 30 Oct 2016 22:22:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277056#M83556 jkat54 2016-10-30T22:22:44Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277057#M83557 <P>Or maybe I'm misunderstanding your request here.</P> <P>If you're trying to have the same if but for model number 2, 3, etc... Try this</P> <P>first zip the fields into one field to help shorten your if/case statement:</P> <PRE><CODE> |eval a=mvzip(IP_TYPE1,IP_TYPE2) | eval b=mvzip(IP_TYPE3,IP_TYPE4)| eval c=mvzip(a,b) | eval d=mvzip(c,IP_TYPE5) </CODE></PRE> <P>Then use if/case with match:</P> <PRE><CODE> | eval result=if((match(d,".*MODEL NUMBER 1.*") AND IP_KIND=="BTT"),"Subtype1",if((match(d,".*MODEL NUMBER 2.*") AND IP_KIND=="BTT"),"subtype2","other")) </CODE></PRE> <P>For each other subtype replace "other" with another if match statement. Just remember to add another ending parens ")" at the end for each if you start.</P> <P>It's usually the syntax that gets you on these long if or case statements.</P> Sun, 30 Oct 2016 22:35:49 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277057#M83557 jkat54 2016-10-30T22:35:49Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277058#M83558 <P>Since you're more than 2 condition, you should <CODE>eval-case</CODE> instead of <CODE>eval-if</CODE>. Like this</P> <PRE><CODE> sourcetype=temp | eval RESULTING_FIELD = if((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER") </CODE></PRE> Mon, 31 Oct 2016 00:04:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277058#M83558 somesoni2 2016-10-31T00:04:19Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277059#M83559 <P>Thanks. You mean:</P> <PRE><CODE> sourcetype=temp | eval RESULTING_FIELD = case((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER") </CODE></PRE> <P>My resulting field only shows OTHER, any idea?</P> Mon, 31 Oct 2016 02:14:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277059#M83559 changux 2016-10-31T02:14:40Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277060#M83560 <P>Solved, problem with accents into IP_TYPE strings.</P> Mon, 31 Oct 2016 02:30:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277060#M83560 changux 2016-10-31T02:30:18Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277061#M83561 <P>There's no "you should use eval case", it's a preference in my humble opinion.</P> <P>Did you try my search?</P> Mon, 31 Oct 2016 14:17:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277061#M83561 jkat54 2016-10-31T14:17:13Z Re: How do I edit my eval syntax with multiple if conditions to produce a certain field? https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277062#M83562 <P>Please choose an answer for this question</P> Fri, 01 Mar 2019 19:27:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-eval-syntax-with-multiple-if-conditions-to/m-p/277062#M83562 ryhluc01 2019-03-01T19:27:13Z