Splunk Search

Can multiple IF statements be used

agreer
New Member

I am creating a report off of logs files. In this report I am looking to list out the number of times particular actions were took. The two IF statements below produce data as expected when ran alone, but when ran together one of the fields is empty and the other list all the values as 0's.

sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"

|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|stats sum(Portallogins) as "Portal Logins" by email
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" by email

|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company

Any help is greatly appreciated.

0 Karma
1 Solution

somesoni2
Revered Legend

The problem here is the the order of thsoe conidtions and stats command. After the first stats for Portal Logins, only fields available in your result set are email and "Portal Logins", so your next eval for GlobalLogins and stats doesn't work. Try like this

sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" sum(Portallogins) as "Portal Logins" by email 
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company

View solution in original post

somesoni2
Revered Legend

The problem here is the the order of thsoe conidtions and stats command. After the first stats for Portal Logins, only fields available in your result set are email and "Portal Logins", so your next eval for GlobalLogins and stats doesn't work. Try like this

sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" sum(Portallogins) as "Portal Logins" by email 
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...