Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can you help me with a problem with an AND operator in a CASE and IF statement?

kumagaur
New Member
‎01-24-2019 10:23 AM

I have one lookup in which there is a field which consist

Team Member
A1
A2
A3
A4
A5
A6
A7

Now,If
TeamMember=(A1 OR A2) AND A4 AND A7 then print Aseries
TeamMember=(A1 OR A2) and A5 AND A6 then print Bseries

I tried:

 |eval Team=if((con1=="A1 OR con1=A2)"AND con1=="A4" AND con1=A7,Aseries,Other)

I used case as well but no luck.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎01-24-2019 11:09 AM

Hi kumagaur,

based on the provided examples this will work:

| makeresults 
| eval TeamMember="A1 A2 A3 A4 A5 A6 A7"
| makemv TeamMember 
| mvexpand TeamMember 
| eval Team = if((TeamMember="A1" OR TeamMember="A2") AND TeamMember="A4" AND TeamMember="A7", "foo" , "nope")

But, also based on your provided information this eval will never match anything because TeamMember has never at the same time either A1 or B2 and A4 and A7.

I would review either the use case or the events, because this based on the provided information will never work.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...