https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336106#M99794 <P>This might work. Use rex command to match status values and create a single multivalue field. Then use eventstats to sum the values of your multivalue field. If the sum of status = 0, set a new_field to "OK". Otherwise, set new_field to "FAILURE". In the search below you can disregard the 'makeresults' and 'eval _raw =' commands. I just add those to generate an example event like yours that I can use. You want REX &amp; EVENTSTATS</P> <PRE><CODE>| makeresults | EVAL _raw = "status=0 status=0 status=0" | REX max_match=0 field=_raw "status=(?P&lt;status&gt;[0-9])" | EVENTSTATS sum(status) AS status_sum | EVAL new_field=IF(status_sum==0,"OK","FAILURE") </CODE></PRE> Tue, 29 Sep 2020 13:40:47 GMT jpass 2020-09-29T13:40:47Z https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336105#M99793 <P>I have an event with status=0 status=0 status=0 .... I want if all status fields values are 0 then new_field value is "sucess " else new_field="failure"</P> Tue, 29 Sep 2020 13:44:00 GMT https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336105#M99793 nagarjuna280 2020-09-29T13:44:00Z https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336106#M99794 <P>This might work. Use rex command to match status values and create a single multivalue field. Then use eventstats to sum the values of your multivalue field. If the sum of status = 0, set a new_field to "OK". Otherwise, set new_field to "FAILURE". In the search below you can disregard the 'makeresults' and 'eval _raw =' commands. I just add those to generate an example event like yours that I can use. You want REX &amp; EVENTSTATS</P> <PRE><CODE>| makeresults | EVAL _raw = "status=0 status=0 status=0" | REX max_match=0 field=_raw "status=(?P&lt;status&gt;[0-9])" | EVENTSTATS sum(status) AS status_sum | EVAL new_field=IF(status_sum==0,"OK","FAILURE") </CODE></PRE> Tue, 29 Sep 2020 13:40:47 GMT https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336106#M99794 jpass 2020-09-29T13:40:47Z https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336107#M99795 <P>Since there is no sample data given, assuming you have data as below where string <CODE>status=&lt;singleDigit&gt;</CODE> can occur multiple times and this occurrence might also vary however many times within an event. (The query however works well for events where <CODE>status=&lt;singleDigit&gt;</CODE> phrase occurs same number of times within each event):</P> <PRE><CODE>aa, status=0 status=0 status=0 status=0 status=0 bb, status=0 status=0 status=1 cc, status=1 status=1 dd, status=0 </CODE></PRE> <P>Then how about trying this one:</P> <PRE><CODE>your query to return raw events | rex max_match=0 field=_raw "status=(?&lt;myStatus&gt;\d)\s*" | mvexpand myStatus | stats sum(myStatus) as Sum by _raw | eval new_field=if(Sum=0, "success", "failure") | table _raw, new_field </CODE></PRE> <P><STRONG><EM>Sample snapshot:</EM></STRONG></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2792iC852866FA9AFDAE8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 17 Apr 2017 06:57:26 GMT https://community.splunk.com/t5/Splunk-Search/I-have-an-event-with-status-0-status-0-status-0-I-want-if-all/m-p/336107#M99795 gokadroid 2017-04-17T06:57:26Z