https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309374#M92789 <P>Hi, i try to select on same event with different Values and they give result différent but Splunk find none result. Can you tell me what is wrong on my command ? Thanks </P> <P>eval Agent= if(isnull(Agent) OR ( Agent=="aaa*", "bbb*") OR (Agent=="ccc*" , "ddd*" ,"reee*")OR (Agent=="*"),Messagerie, AC,MANAGERS,TECHNICIENS )</P> Tue, 29 Sep 2020 12:55:18 GMT Abarny 2020-09-29T12:55:18Z https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309374#M92789 <P>Hi, i try to select on same event with different Values and they give result différent but Splunk find none result. Can you tell me what is wrong on my command ? Thanks </P> <P>eval Agent= if(isnull(Agent) OR ( Agent=="aaa*", "bbb*") OR (Agent=="ccc*" , "ddd*" ,"reee*")OR (Agent=="*"),Messagerie, AC,MANAGERS,TECHNICIENS )</P> Tue, 29 Sep 2020 12:55:18 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309374#M92789 Abarny 2020-09-29T12:55:18Z https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309375#M92790 <P><CODE>(field="value1", "value2")</CODE> is not a valid <CODE>eval</CODE> expression. If you're looking for a list of possible values, you will need to spell them out explicitly like this: <CODE>(field="value1" OR field="value2")</CODE>.</P> <P>Similarly, <CODE>if()</CODE> only takes three arguments - the condition, the then-value, and the else value. If you're trying to test several conditions and yield a different result for each condition, you'll want to use <CODE>case()</CODE> like this: <CODE>case(condition1, value1, condition2, value2, ...)</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions#Comparison_and_Conditional_functions">http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions#Comparison_and_Conditional_functions</A></P> Fri, 17 Feb 2017 09:52:27 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309375#M92790 martin_mueller 2017-02-17T09:52:27Z https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309376#M92791 <P>Thanks :).</P> <P>I try with your solution but I think it's false again. I am a trainee and I try to do my best. So just bear with me. ( and with my English :))</P> <P>eval Personnel =case(Agent == null() , "Messagerie", Agent ==("aa*" OR "bb*"), "AC", Agent=="*",TECHNICIENS) |stats count by Personnel</P> <P>The last Agent is for give the reste of the values</P> Tue, 29 Sep 2020 12:55:21 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309376#M92791 Abarny 2020-09-29T12:55:21Z https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309377#M92792 <P>Give this a try</P> <PRE><CODE>eval Personnel =case(isnull(Agent) , "Messagerie", like(Agent,"aa%") OR like(Agent,"bb%"), "AC", 1=1,TECHNICIENS) |stats count by Personnel </CODE></PRE> <P>So, <BR /> If <CODE>Agent is null</CODE> - Personnel=Messagerie<BR /> if <CODE>Agent="aa*"</CODE> OR <CODE>Agent="bb*"</CODE>(in search <CODE>*</CODE> is wildcard, for like function in eval , % is wildcard), Personnel=AC<BR /> For all other cases, Personnel=TECHNICIENS</P> Fri, 17 Feb 2017 14:44:42 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309377#M92792 somesoni2 2017-02-17T14:44:42Z https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309378#M92793 <P>Thanks you Somesoni2 !!</P> Fri, 17 Feb 2017 14:55:32 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309378#M92793 Abarny 2017-02-17T14:55:32Z https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309379#M92794 <P>Thanks you Somesoni2 !!</P> Fri, 17 Feb 2017 14:57:18 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-eval-if-4-arguments/m-p/309379#M92794 Abarny 2017-02-17T14:57:18Z