https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319633#M95556 <P>I didn't know about the <CODE>in</CODE> function! I knew about new <CODE>IN</CODE> operator in SPL, but not in terms of <CODE>eval</CODE>.</P> Fri, 19 Jan 2018 21:38:15 GMT micahkemp 2018-01-19T21:38:15Z https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319630#M95553 <P>Hello,</P> <P>I need to creating grouping of a results by error code .<BR /> There are different type of error code like 1123, 0123, 0000, 1234 etc which are specific to my application.<BR /> The error codes are categorized in 4 category : infra error, customer error, application error, Information_code_not_error</P> <P>One way is to upload a lookup file and use that but I dont have access to do that, only access I have is to run normal queries.<BR /> Please help me if you know a way to do so </P> <P>Like if value in(1,5,3,2,7) then Code1 else if value in(4,6,0) Code 2 else Code 3</P> <P>Thanks</P> Tue, 29 Sep 2020 17:44:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319630#M95553 jagdeepgupta813 2020-09-29T17:44:56Z https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319631#M95554 <P>You can use case statement to do so.</P> <PRE><CODE>your base search with field error_code | eval category=case(match(error_code,"(1|5|3|2|7)"),"infra error",match(error_code,"(4|6|0)","customer error",...other conditions..., true(),"default value here") </CODE></PRE> Thu, 18 Jan 2018 17:39:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319631#M95554 somesoni2 2018-01-18T17:39:00Z https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319632#M95555 <P>You're right on track. Using the example you gave at the end of your post, I'd code it like this:</P> <PRE><CODE>&lt;your base search&gt; | eval code_field=case(in(val_field, "1", "5", "3", "2", "7"), "Code1", in(val_field, "4", "6", "0"), "Code2", 1=1, "Code3") </CODE></PRE> <P>Read in plain English, this code says: <EM>If the value in the field <CODE>val_field</CODE> is one, 5, 3, 2, or 7, then set the value of <CODE>code_field</CODE> to <CODE>"Code1"</CODE>. If the value in the field <CODE>val_field</CODE> is 4, 6, or 0, then sent the value of <CODE>code_field</CODE> to <CODE>"Code2"</CODE>. Otherwise, set the value of the field <CODE>val_field</CODE> to <CODE>"Code3"</CODE>.</EM></P> <P>More info about the <CODE>in()</CODE> function is here:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29</A></P> Thu, 18 Jan 2018 17:46:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319632#M95555 elliotproebstel 2018-01-18T17:46:34Z https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319633#M95556 <P>I didn't know about the <CODE>in</CODE> function! I knew about new <CODE>IN</CODE> operator in SPL, but not in terms of <CODE>eval</CODE>.</P> Fri, 19 Jan 2018 21:38:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-evaluate-multiple-values-to-a-single-answer-Like-if-value/m-p/319633#M95556 micahkemp 2018-01-19T21:38:15Z