Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparison and condition function help. Multiple I...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comparison and condition function help. Multiple If, case or like statements in search
index=foo
| eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...)
| table User, Platform, AppVersion, Compliant
Right now table looks like this. I have only checked if an AppVersion is on the Compliant list.
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 |
03468| iOS | 18.0 |
97621| Android | 18.8 |
However, I need to check certain AppVersions against the Platform.
I imagine it would need multiple if statements and multiple cases but not sure how to do this.
One of my failures looked something like:
index=foo
| eval Compliant=if(Platform=Windows, case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...),"NO")
| table foo
The goal would be to show something like this.
User | Platform | AppVersion | Compliant
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 | Ok
03468| iOS | 18.0 | Ok
97621| Android | 18.8 | Ok
97423| Windows | 13.8 | No
32638| Mac | 11.0 | No
08346| iOS | 17.0 | No
43835| Android | 18.2 | No
Thank you in advance, if you can help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nqjpm,
Try below query..
I have created with sample data . You can us the last eval with your main query.
| makeresults
| eval AppVersion=mvappend("14.12%","14.11%","14.10%","14.16%","14.00%")
| mvexpand AppVersion
| eval Platform= case(AppVersion == "14.00%", "Windows",AppVersion == "14.12%", "Windows",AppVersion == "14.16%","Mac",AppVersion == "14.12%", "iOS",AppVersion == "14.11%", "Windows",AppVersion == "14.11%", "Mac",AppVersion == "14.10%", "Windows",AppVersion == "14.10%", "Android")
| eval Compliant=if(Platform="Windows" AND (AppVersion="14.12%" OR AppVersion="14.11%" OR AppVersion="14.10%" OR AppVersion="14.9%" OR AppVersion="14.8%"), "OK","NO" )
| table AppVersion Platform Compliant
Thanks ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think a lookup should be used here!! Can you try on that lines, if you already know the conditions for Compliant? That way you can use a csv file for the true conditions of Compliant .
Your lookup should have User Platform AppVersion columns.
basequery|lookup Compliant_condtions.csv User AS User, Platform AS Platform , columns AS columns OUTPUT Compliant
|fillnull value="No" Compliant ------ > this will fill the Complaint values as "No" for the condition that dint match with the lookup
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
