Re: Facing trouble in validation of conditions usi...

1132307 · ‎04-04-2018

index=abcd source=xyz
| FILTERS
| eval s= case(S > 0 AND S <= 2, "V", S > 0 AND S <= 3, "O", S > 3 AND S <= 4, "D", S > 4 AND S <=5,"E")
| chart count over field by s

I'm trying to evaluate a field with the above given conditions. First condition limit is (0-2) and the second condition limit is (0-3).
The issue i'm facing is, as the first condition is satisfied it is not checking the second condition. But i need both the conditions to be Validated.

janispelss · ‎04-04-2018

As mentioned by others, that's how the case function is supposed to work. What would you expect "s" to evaluate to when "S" equals 1 or 2?

niketn · ‎04-04-2018

@1132307 so what do you mean by both conditions to be validated? If both conditions are true which one should be picked? As @richgalloway has mentioned Splunk will pick first condition which evaluates to true. If you always want to pick the second condition then swap your conditions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

1132307 · ‎04-04-2018

Is there any other command for this issue? So that it can validate both conditions to get the result.

richgalloway · ‎04-04-2018

That's how case works in Splunk. Conditions are evaluated in order. Evaluation stops once a condition is met.

---
If this reply helps you, Karma would be appreciated.

Facing trouble in validation of conditions using if statement

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!