Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Comparison and condition function help. Multiple If, case or like statements in search

nqjpm
Path Finder
‎08-31-2018 02:22 PM 
index=foo
| eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...)
| table User, Platform, AppVersion, Compliant

Right now table looks like this. I have only checked if an AppVersion is on the Compliant list.
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 |
03468| iOS | 18.0 |
97621| Android | 18.8 |

However, I need to check certain AppVersions against the Platform.
I imagine it would need multiple if statements and multiple cases but not sure how to do this.
One of my failures looked something like:

index=foo
| eval Compliant=if(Platform=Windows, case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...),"NO")
| table foo

The goal would be to show something like this.
User | Platform | AppVersion | Compliant
12345| Windows | 14.8 | Ok
56789| Mac | 12.8 | Ok
03468| iOS | 18.0 | Ok
97621| Android | 18.8 | Ok
97423| Windows | 13.8 | No
32638| Mac | 11.0 | No
08346| iOS | 17.0 | No
43835| Android | 18.2 | No

Thank you in advance, if you can help.

0 Karma
Reply

Shan
Builder
‎08-31-2018 10:22 PM

@nqjpm,

Try below query..
I have created with sample data . You can us the last eval with your main query.

    | makeresults
 | eval AppVersion=mvappend("14.12%","14.11%","14.10%","14.16%","14.00%")
 | mvexpand AppVersion          
 | eval Platform= case(AppVersion == "14.00%", "Windows",AppVersion == "14.12%", "Windows",AppVersion == "14.16%","Mac",AppVersion == "14.12%", "iOS",AppVersion == "14.11%", "Windows",AppVersion == "14.11%", "Mac",AppVersion == "14.10%", "Windows",AppVersion == "14.10%", "Android")
 | eval Compliant=if(Platform="Windows" AND (AppVersion="14.12%" OR AppVersion="14.11%" OR AppVersion="14.10%" OR AppVersion="14.9%" OR AppVersion="14.8%"), "OK","NO" )
 | table   AppVersion Platform Compliant

Thanks ..

0 Karma
Reply

nadlurinadluri
Communicator
‎08-31-2018 03:13 PM

I think a lookup should be used here!! Can you try on that lines, if you already know the conditions for Compliant? That way you can use a csv file for the true conditions of Compliant .
Your lookup should have User Platform AppVersion columns.

basequery|lookup Compliant_condtions.csv User AS User, Platform AS Platform , columns AS columns OUTPUT Compliant
|fillnull value="No" Compliant ------ > this will fill the Complaint values as "No" for the condition that dint match with the lookup

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...