Splunk Search

## Eval with conditions

Path Finder

Hi,

I have 3 products 1, 2, and 3, each of them contain several elements a, b c, d. Each product has different specification depending on the elements %

Product 1:  a1<a<a2, b1<b<b2, c1<c<c2

Product 2:  a3<a<a4, b3<b<b4, d3<d<d4

product 3: a5<a<a6, b5<b<b6, c5<c<c6, d5<d<d6

I would like to have a list

Product , a, b, c, d, In_Spec

I would like to use eval to assign the value to In_Spec

|eval In_Spec=( if Product=1 and  a1<a<a2 and b1<b<b2 and c1<c<c2, "yes", "no")

but How can include product 2 and product 2? In the end I want sth like:

|eval In_Spec=( if Product 1.......... Product2........... Product 3............"yes", "no")

can someone help me with that?

Labels (1)
• ### eval

1 Solution
SplunkTrust

The if function has only 3 parameter, condition, action if true, action if false. So, to represent it in a more structured way it might look like this

if condition1
then action1
else action2
endif

When the actions are themselves if's it starts to look like this

if condition1
then if condition1.1
then action1T
else action1F
endif
else if condition2
then if condition2.1
then action2T
else action2F
endif
else if condition3
then if condition3.1
then action3T
else action3F
endif
endif
endif
endif

As you can see, all the endifs come together at the end to close off all the levels of nesting. This is what the brackets are doing in the splunk syntax

SplunkTrust

You can nest if's

if(product=1,if(a>a1 AND a<a2 AND b ...,"yes","no"),if(product=2,if(...,"yes","no"),if(product...)))

or in a similar vein, use a case

case(product=1,if(...),product=2,if(...)...)

Path Finder

Hi @ITWhisperer  thanks for the quick reply. But i am confused with so many brackets.

If I understand this correctly:

|eval In_Spec=if((Product=1, if(..., "yes", "no"), if (Product=2, if(...) "yes", "no"), if(Product=3, if(...., yes", "no" ))

But why do you have three brackets at the end?

SplunkTrust

The if function has only 3 parameter, condition, action if true, action if false. So, to represent it in a more structured way it might look like this

if condition1
then action1
else action2
endif

When the actions are themselves if's it starts to look like this

if condition1
then if condition1.1
then action1T
else action1F
endif
else if condition2
then if condition2.1
then action2T
else action2F
endif
else if condition3
then if condition3.1
then action3T
else action3F
endif
endif
endif
endif

As you can see, all the endifs come together at the end to close off all the levels of nesting. This is what the brackets are doing in the splunk syntax

Path Finder

great! thank you @ITWhisperer for your patience. Now I understand! Many thanks!

Get Updates on the Splunk Community!

#### Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

#### NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

#### Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...