Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Facing trouble in validation of conditions using if statement

1132307
New Member
‎04-04-2018 03:11 AM

index=abcd source=xyz
| FILTERS
| eval s= case(S > 0 AND S <= 2, "V", S > 0 AND S <= 3, "O", S > 3 AND S <= 4, "D", S > 4 AND S <=5,"E")
| chart count over field by s

I'm trying to evaluate a field with the above given conditions. First condition limit is (0-2) and the second condition limit is (0-3).
The issue i'm facing is, as the first condition is satisfied it is not checking the second condition. But i need both the conditions to be Validated.

0 Karma
Reply

janispelss
Path Finder
‎04-04-2018 06:46 AM

As mentioned by others, that's how the case function is supposed to work. What would you expect "s" to evaluate to when "S" equals 1 or 2?

0 Karma
Reply

niketn
Legend
‎04-04-2018 06:32 AM

@1132307 so what do you mean by both conditions to be validated? If both conditions are true which one should be picked? As @richgalloway has mentioned Splunk will pick first condition which evaluates to true. If you always want to pick the second condition then swap your conditions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

1132307
New Member
‎04-04-2018 06:54 AM

Is there any other command for this issue? So that it can validate both conditions to get the result.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2018 05:39 AM

That's how case works in Splunk. Conditions are evaluated in order. Evaluation stops once a condition is met.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...