- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparison and condition function help. Multiple I...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Comparison and condition function help. Multiple If, case or like statements in search
index=foo
| eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...)
| table User, Platform, AppVersion, Compliant
Right now table looks like this. I have only checked if an AppVersion is on the Compliant list.
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 |
03468| iOS | 18.0 |
97621| Android | 18.8 |
However, I need to check certain AppVersions against the Platform.
I imagine it would need multiple if statements and multiple cases but not sure how to do this.
One of my failures looked something like:
index=foo
| eval Compliant=if(Platform=Windows, case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...),"NO")
| table foo
The goal would be to show something like this.
User | Platform | AppVersion | Compliant
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 | Ok
03468| iOS | 18.0 | Ok
97621| Android | 18.8 | Ok
97423| Windows | 13.8 | No
32638| Mac | 11.0 | No
08346| iOS | 17.0 | No
43835| Android | 18.2 | No
Thank you in advance, if you can help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nqjpm,
Try below query..
I have created with sample data . You can us the last eval with your main query.
| makeresults
| eval AppVersion=mvappend("14.12%","14.11%","14.10%","14.16%","14.00%")
| mvexpand AppVersion
| eval Platform= case(AppVersion == "14.00%", "Windows",AppVersion == "14.12%", "Windows",AppVersion == "14.16%","Mac",AppVersion == "14.12%", "iOS",AppVersion == "14.11%", "Windows",AppVersion == "14.11%", "Mac",AppVersion == "14.10%", "Windows",AppVersion == "14.10%", "Android")
| eval Compliant=if(Platform="Windows" AND (AppVersion="14.12%" OR AppVersion="14.11%" OR AppVersion="14.10%" OR AppVersion="14.9%" OR AppVersion="14.8%"), "OK","NO" )
| table AppVersion Platform Compliant
Thanks ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think a lookup should be used here!! Can you try on that lines, if you already know the conditions for Compliant? That way you can use a csv file for the true conditions of Compliant .
Your lookup should have User Platform AppVersion columns.
basequery|lookup Compliant_condtions.csv User AS User, Platform AS Platform , columns AS columns OUTPUT Compliant
|fillnull value="No" Compliant ------ > this will fill the Complaint values as "No" for the condition that dint match with the lookup
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
