Spl

revanthammineni · ‎02-23-2023

Hi Splunkers,

I'm working on two conditions where I need to use condition eval statement. Some filters that I need to add for every condition before I do eval. Please help me in achieving this.

Condition 1:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="critical"
After satisfying above conditions, I have to create a field called score.
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 30, 60)

Condition 2:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="high"
After satisfying above conditions. Add to the newly existing field "score"
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 60, 90)

TIA.

scelikok · ‎02-23-2023

Hi @revanthammineni,

Your conditions are very similar but else values are overwriting. You can use below to give an idea.

| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="critical" ), 30, 60)
| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="high" ), 60, 90)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Spl

saved search

scheduled search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

Spl