Spl

revanthammineni · ‎02-23-2023

Hi Splunkers,

I'm working on two conditions where I need to use condition eval statement. Some filters that I need to add for every condition before I do eval. Please help me in achieving this.

Condition 1:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="critical"
After satisfying above conditions, I have to create a field called score.
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 30, 60)

Condition 2:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="high"
After satisfying above conditions. Add to the newly existing field "score"
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 60, 90)

TIA.

scelikok · ‎02-23-2023

Hi @revanthammineni,

Your conditions are very similar but else values are overwriting. You can use below to give an idea.

| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="critical" ), 30, 60)
| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="high" ), 60, 90)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Spl

saved search

scheduled search

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Spl

saved search

scheduled search

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk