Spl

revanthammineni · ‎02-23-2023

Hi Splunkers,

I'm working on two conditions where I need to use condition eval statement. Some filters that I need to add for every condition before I do eval. Please help me in achieving this.

Condition 1:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="critical"
After satisfying above conditions, I have to create a field called score.
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 30, 60)

Condition 2:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="high"
After satisfying above conditions. Add to the newly existing field "score"
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 60, 90)

TIA.

scelikok · ‎02-23-2023

Hi @revanthammineni,

Your conditions are very similar but else values are overwriting. You can use below to give an idea.

| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="critical" ), 30, 60)
| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="high" ), 60, 90)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Spl

saved search

scheduled search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Spl

saved search

scheduled search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey