Hi Splunk Community,

How does Spunk prioritize conditional case functions? Lets say I have a case function with 2 conditions - they work fine, and results are as expected, but then lets say I flip the conditions. What I see happen when I flip the conditions in the case function the results are not correct. Shouldn't Splunk be able to still check which condition it applies to even though I have flipped the conditions?  Example below:

Case: TimeSchedule should output the closest 7th min or 37th min - so every half hour past the 7th min or 37th min from the zipTime_epoch.

Works Fine as output TimeSchedule should be 2021-03-06 23:37:59.000000

| makeresults
| eval zipTime="2021-03-06 23:35:59.000"
| eval zipTime_epoch=strptime(zipTime, "%Y-%m-%d %H:%M:%S.%6N")
| eval lastunzip_hour=tonumber(strftime(zipTime_epoch, "%H"))
| eval lastunzip_min=tonumber(strftime(zipTime_epoch, "%M"))
| eval lastunzip_sec=round(zipTime_epoch%60,6)
| eval TimeSchedule=strftime(case(lastunzip_min%30 < 7, zipTime_epoch-zipTime_epoch%1800+420+lastunzip_sec,lastunzip_min!=37 AND lastunzip_min!=7, zipTime_epoch-zipTime_epoch%1800+2220+lastunzip_sec,1=1,zipTime_epoch),"%Y-%m-%d %H:%M:%S.%6N")

| table TimeSchedule, zipTime, lastunzip_hour, lastunzip_min, lastunzip_sec, zipTime_epoch

Does not work fine when case in conditions are flipped- output should be 2021-03-06 23:37:59.000000 instead.

| makeresults
| eval zipTime="2021-03-06 23:35:59.000"
| eval zipTime_epoch=strptime(zipTime, "%Y-%m-%d %H:%M:%S.%6N")
| eval lastunzip_hour=tonumber(strftime(zipTime_epoch, "%H"))
| eval lastunzip_min=tonumber(strftime(zipTime_epoch, "%M"))
| eval lastunzip_sec=round(zipTime_epoch%60,6)
| eval TimeSchedule=strftime(case( lastunzip_min!=37 AND lastunzip_min!=7, zipTime_epoch-zipTime_epoch%1800+2220+lastunzip_sec,lastunzip_min%30 < 7, zipTime_epoch_epoch-zipTime_epoch_epoch%1800+420+lastunzip_sec,1=1,zipTime_epoch),"%Y-%m-%d %H:%M:%S.%6N")