Spl

revanthammineni · ‎02-23-2023

Hi Splunkers,

I'm working on two conditions where I need to use condition eval statement. Some filters that I need to add for every condition before I do eval. Please help me in achieving this.

Condition 1:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="critical"
After satisfying above conditions, I have to create a field called score.
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 30, 60)

Condition 2:
Filters to be applied before:
id is not "N/A" AND risk="Critical" AND risk_factor="high"
After satisfying above conditions. Add to the newly existing field "score"
eval score=IF(insurance="Y", instate="Y", age_requirements="y", 60, 90)

TIA.

scelikok · ‎02-23-2023

Hi @revanthammineni,

Your conditions are very similar but else values are overwriting. You can use below to give an idea.

| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="critical" ), 30, 60)
| eval score=if(searchmatch(insurance="Y" instate="Y" age_requirements="y" id!="N/A" risk="Critical" risk_factor="high" ), 60, 90)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Spl

saved search

scheduled search

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Spl