Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- AND in If statement
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a set of logs showing order journeys between countries - I want to create a report that show the destination country of the order or, if the order is staying within the country of origin, will show this order as a local supply order. To assess whether the order is local supply I need to evaluate 2 fields, I have written if statements with an OR condition but I am not sure how to use an AND condition within the if statement - can anyone suggest how I would do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I have spotted my own mistake, a simple matter of missing quotation marks around LocalSupply and External - I've managed to make the country display as LocalSupply, I'm now running 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are LocalSupply and External supposed to be field names or strings? Because right now you're referring to field names, so if those fields don't exist, you will get empty results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I have spotted my own mistake, a simple matter of missing quotation marks around LocalSupply and External - I've managed to make the country display as LocalSupply, I'm now running 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the statement I've tried using, but the issue may not be with the AND:
eval OrderType=if((OriginCountry="IRL") AND (DestinationCountry="IRL"),LocalSupply,External) | stats count by OrderType
This query is currently showing no results.
Ideally I would like to have a report where I can show all orders and their origin countries within a specific time frame, and if they are 'Local Supply' the origincountry will be renamed Local Supply and all other orders will be displayed with their origincountry, but I'll walk before I run!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you show examples? Without any other info I'd just say "just use AND instead of OR", but I'm guessing there's more to your question than that.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
