Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Facing trouble in validation of conditions using if statement

1132307
New Member
‎04-04-2018 03:11 AM

index=abcd source=xyz
| FILTERS
| eval s= case(S > 0 AND S <= 2, "V", S > 0 AND S <= 3, "O", S > 3 AND S <= 4, "D", S > 4 AND S <=5,"E")
| chart count over field by s

I'm trying to evaluate a field with the above given conditions. First condition limit is (0-2) and the second condition limit is (0-3).
The issue i'm facing is, as the first condition is satisfied it is not checking the second condition. But i need both the conditions to be Validated.

0 Karma
Reply

janispelss
Path Finder
‎04-04-2018 06:46 AM

As mentioned by others, that's how the case function is supposed to work. What would you expect "s" to evaluate to when "S" equals 1 or 2?

0 Karma
Reply

niketn
Legend
‎04-04-2018 06:32 AM

@1132307 so what do you mean by both conditions to be validated? If both conditions are true which one should be picked? As @richgalloway has mentioned Splunk will pick first condition which evaluates to true. If you always want to pick the second condition then swap your conditions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

1132307
New Member
‎04-04-2018 06:54 AM

Is there any other command for this issue? So that it can validate both conditions to get the result.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2018 05:39 AM

That's how case works in Splunk. Conditions are evaluated in order. Evaluation stops once a condition is met.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...