https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303752#M91366 <P>Splunk Experts,</P> <P>How to write the eval command to compare the Multivalue, Below is data,</P> <PRE><CODE> **Servicename** **Status** ServerName NGS121 Ad_service Running CIM_service Running Jabber NotRunning Citrix NotRunning. </CODE></PRE> <P>IF any of the Status is "NotRunning" I should get the ServiceStatus as "Not-Running" O/P as </P> <PRE><CODE>Servername ServiceStatus NGS121 Not-Running </CODE></PRE> Wed, 21 Feb 2018 21:01:03 GMT VsplunkV 2018-02-21T21:01:03Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303752#M91366 <P>Splunk Experts,</P> <P>How to write the eval command to compare the Multivalue, Below is data,</P> <PRE><CODE> **Servicename** **Status** ServerName NGS121 Ad_service Running CIM_service Running Jabber NotRunning Citrix NotRunning. </CODE></PRE> <P>IF any of the Status is "NotRunning" I should get the ServiceStatus as "Not-Running" O/P as </P> <PRE><CODE>Servername ServiceStatus NGS121 Not-Running </CODE></PRE> Wed, 21 Feb 2018 21:01:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303752#M91366 VsplunkV 2018-02-21T21:01:03Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303753#M91367 <P>This will create a field called <CODE>ServiceStatus</CODE> and assign it the value <CODE>Not-Running</CODE> if any value for <CODE>Status</CODE> is set to <CODE>NotRunning</CODE>, and then it will retain only the events where <CODE>ServiceStatus="Not-Running"</CODE>:</P> <PRE><CODE>[ your existing search ] | eval ServiceStatus=if(like(Status, "NotRunning"), "Not-Running", "Running") | where ServiceStatus="Not-Running" | fields ServerName ServiceStatus </CODE></PRE> Wed, 21 Feb 2018 22:12:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303753#M91367 elliotproebstel 2018-02-21T22:12:41Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303754#M91368 <P>Try like this</P> <PRE><CODE>your current search giving multivalued field Status and other fields | eval Status=if(isnotnull(mvfilter(Status,"NotRunning")),"NonRunning","Running") </CODE></PRE> Wed, 21 Feb 2018 22:44:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303754#M91368 somesoni2 2018-02-21T22:44:37Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303755#M91369 <P>Thank you. It worked.</P> Wed, 21 Feb 2018 22:52:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303755#M91369 VsplunkV 2018-02-21T22:52:45Z https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303756#M91370 <P>Thank you. It worked</P> Wed, 21 Feb 2018 22:53:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-apply-the-condition-in-multivalue-event/m-p/303756#M91370 VsplunkV 2018-02-21T22:53:06Z