Splunk Search

Comparison and condition function help. Multiple If, case or like statements in search

nqjpm
Path Finder
index=foo
| eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...)
| table User, Platform, AppVersion, Compliant

Right now table looks like this. I have only checked if an AppVersion is on the Compliant list.
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 |
03468| iOS | 18.0 |
97621| Android | 18.8 |

However, I need to check certain AppVersions against the Platform.
I imagine it would need multiple if statements and multiple cases but not sure how to do this.
One of my failures looked something like:

index=foo
| eval Compliant=if(Platform=Windows, case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...),"NO")
| table foo

The goal would be to show something like this.
User | Platform | AppVersion | Compliant
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 | Ok
03468| iOS | 18.0 | Ok
97621| Android | 18.8 | Ok
97423| Windows | 13.8 | No
32638| Mac | 11.0 | No
08346| iOS | 17.0 | No
43835| Android | 18.2 | No

Thank you in advance, if you can help.

0 Karma

Shan
Builder

@nqjpm,

Try below query..
I have created with sample data . You can us the last eval with your main query.

    | makeresults
 | eval AppVersion=mvappend("14.12%","14.11%","14.10%","14.16%","14.00%")
 | mvexpand AppVersion          
 | eval Platform= case(AppVersion == "14.00%", "Windows",AppVersion == "14.12%", "Windows",AppVersion == "14.16%","Mac",AppVersion == "14.12%", "iOS",AppVersion == "14.11%", "Windows",AppVersion == "14.11%", "Mac",AppVersion == "14.10%", "Windows",AppVersion == "14.10%", "Android")
 | eval Compliant=if(Platform="Windows" AND (AppVersion="14.12%" OR AppVersion="14.11%" OR AppVersion="14.10%" OR AppVersion="14.9%" OR AppVersion="14.8%"), "OK","NO" )
 | table   AppVersion Platform Compliant

Thanks ..

0 Karma

nadlurinadluri
Communicator

I think a lookup should be used here!! Can you try on that lines, if you already know the conditions for Compliant? That way you can use a csv file for the true conditions of Compliant .
Your lookup should have User Platform AppVersion columns.

basequery|lookup Compliant_condtions.csv User AS User, Platform AS Platform , columns AS columns OUTPUT Compliant
|fillnull value="No" Compliant ------ > this will fill the Complaint values as "No" for the condition that dint match with the lookup

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...