Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

USE AND Operator in IF or CASE statement

kumagaur
New Member
‎01-24-2019 08:59 AM

I have one lookup in which there is a field which consist
Team Member
A1
A2
A3
A4
A5
A6
A7
Now,If
TeamMember=(A1 OR A2) AND A4 AND A7 then print Aseries
TeamMember=(A1 OR A2) and A5 AND A6 then print Bseries

I tried |eval Team=if((con1=="A1 OR con1=A2)"AND con1=="A4" AND con1=A7,Aseries,Other)

I used case as well but no luck.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-25-2019 02:37 PM

Maybe like this:

Your Base Search Here
| appendpipe [|inputlookup TeamMember.csv | stats values(TeamMember) AS con1]
| eval Team=if(((con1=="A1" OR con1=="A2") AND con1=="A4" AND con1=="A7"), "Aseries", "Bseries")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-25-2019 02:37 PM

Maybe like this:

Your Base Search Here
| appendpipe [|inputlookup TeamMember.csv | stats values(TeamMember) AS con1]
| eval Team=if(((con1=="A1" OR con1=="A2") AND con1=="A4" AND con1=="A7"), "Aseries", "Bseries")
0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-24-2019 10:44 PM

Try this:
| eval Team= if((con1== "A1" OR con1=="A2") AND con1=="A4" AND con1="A7", Aseries, Other)

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-24-2019 08:48 PM

@kumagaur ,
Do you have multiple values of con1 in a single event ? If not AND condition will not work. Do you have some sample events ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...