Thanks. You mean:

  sourcetype=temp | 
  eval RESULTING_FIELD = case((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")

My resulting field only shows OTHER, any idea?

Solved, problem with accents into IP_TYPE strings.

There's no "you should use eval case", it's a preference in my humble opinion.

Did you try my search?

Or maybe I'm misunderstanding your request here.

If you're trying to have the same if but for model number 2, 3, etc... Try this

first zip the fields into one field to help shorten your if/case statement:

 |eval a=mvzip(IP_TYPE1,IP_TYPE2) | eval b=mvzip(IP_TYPE3,IP_TYPE4)| eval c=mvzip(a,b) | eval d=mvzip(c,IP_TYPE5) 

Then use if/case with match:

   | eval result=if((match(d,".*MODEL NUMBER 1.*") AND IP_KIND=="BTT"),"Subtype1",if((match(d,".*MODEL NUMBER 2.*") AND IP_KIND=="BTT"),"subtype2","other"))

For each other subtype replace "other" with another if match statement. Just remember to add another ending parens ")" at the end for each if you start.

It's usually the syntax that gets you on these long if or case statements.