Solved: Eval with conditions

zoe · ‎04-07-2021

Hi,

I have 3 products 1, 2, and 3, each of them contain several elements a, b c, d. Each product has different specification depending on the elements %

Product 1: a1<a<a2, b1<b<b2, c1<c<c2

Product 2: a3<a<a4, b3<b<b4, d3<d<d4

product 3: a5<a<a6, b5<b<b6, c5<c<c6, d5<d<d6

I would like to have a list

Product , a, b, c, d, In_Spec

I would like to use eval to assign the value to In_Spec

|eval In_Spec=( if Product=1 and a1<a<a2 and b1<b<b2 and c1<c<c2, "yes", "no")

but How can include product 2 and product 2? In the end I want sth like:

|eval In_Spec=( if Product 1.......... Product2........... Product 3............"yes", "no")

can someone help me with that?

Many thanks in advance!

ITWhisperer · ‎04-07-2021

The if function has only 3 parameter, condition, action if true, action if false. So, to represent it in a more structured way it might look like this

if condition1
then action1
else action2
endif

When the actions are themselves if's it starts to look like this

if condition1
then if condition1.1
     then action1T
     else action1F
     endif
else if condition2
     then if condition2.1
          then action2T
          else action2F
          endif
     else if condition3
          then if condition3.1
               then action3T
               else action3F
               endif
          endif
     endif
endif

As you can see, all the endifs come together at the end to close off all the levels of nesting. This is what the brackets are doing in the splunk syntax

View solution in original post

ITWhisperer · ‎04-07-2021

You can nest if's

if(product=1,if(a>a1 AND a<a2 AND b ...,"yes","no"),if(product=2,if(...,"yes","no"),if(product...)))

or in a similar vein, use a case

case(product=1,if(...),product=2,if(...)...)

zoe · ‎04-07-2021

Hi @ITWhisperer thanks for the quick reply. But i am confused with so many brackets.

If I understand this correctly:

|eval In_Spec=if((Product=1, if(..., "yes", "no"), if (Product=2, if(...) "yes", "no"), if(Product=3, if(...., yes", "no" ))

But why do you have three brackets at the end?

ITWhisperer · ‎04-07-2021

The if function has only 3 parameter, condition, action if true, action if false. So, to represent it in a more structured way it might look like this

if condition1
then action1
else action2
endif

When the actions are themselves if's it starts to look like this

if condition1
then if condition1.1
     then action1T
     else action1F
     endif
else if condition2
     then if condition2.1
          then action2T
          else action2F
          endif
     else if condition3
          then if condition3.1
               then action3T
               else action3F
               endif
          endif
     endif
endif

As you can see, all the endifs come together at the end to close off all the levels of nesting. This is what the brackets are doing in the splunk syntax

zoe · ‎04-07-2021

great! thank you @ITWhisperer for your patience. Now I understand! Many thanks!

Eval with conditions

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation