Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Facing trouble in validation of conditions using if statement

1132307
New Member
‎04-04-2018 03:11 AM

index=abcd source=xyz
| FILTERS
| eval s= case(S > 0 AND S <= 2, "V", S > 0 AND S <= 3, "O", S > 3 AND S <= 4, "D", S > 4 AND S <=5,"E")
| chart count over field by s

I'm trying to evaluate a field with the above given conditions. First condition limit is (0-2) and the second condition limit is (0-3).
The issue i'm facing is, as the first condition is satisfied it is not checking the second condition. But i need both the conditions to be Validated.

0 Karma
Reply

janispelss
Path Finder
‎04-04-2018 06:46 AM

As mentioned by others, that's how the case function is supposed to work. What would you expect "s" to evaluate to when "S" equals 1 or 2?

0 Karma
Reply

niketn
Legend
‎04-04-2018 06:32 AM

@1132307 so what do you mean by both conditions to be validated? If both conditions are true which one should be picked? As @richgalloway has mentioned Splunk will pick first condition which evaluates to true. If you always want to pick the second condition then swap your conditions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

1132307
New Member
‎04-04-2018 06:54 AM

Is there any other command for this issue? So that it can validate both conditions to get the result.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2018 05:39 AM

That's how case works in Splunk. Conditions are evaluated in order. Evaluation stops once a condition is met.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top