Splunk Search

Can multiple IF statements be used

agreer
New Member

I am creating a report off of logs files. In this report I am looking to list out the number of times particular actions were took. The two IF statements below produce data as expected when ran alone, but when ran together one of the fields is empty and the other list all the values as 0's.

sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"

|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|stats sum(Portallogins) as "Portal Logins" by email
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" by email

|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company

Any help is greatly appreciated.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The problem here is the the order of thsoe conidtions and stats command. After the first stats for Portal Logins, only fields available in your result set are email and "Portal Logins", so your next eval for GlobalLogins and stats doesn't work. Try like this

sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" sum(Portallogins) as "Portal Logins" by email 
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The problem here is the the order of thsoe conidtions and stats command. After the first stats for Portal Logins, only fields available in your result set are email and "Portal Logins", so your next eval for GlobalLogins and stats doesn't work. Try like this

sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" sum(Portallogins) as "Portal Logins" by email 
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...