Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I edit my eval syntax with multiple if conditions to produce a certain field?

changux
Builder
‎10-30-2016 03:05 PM

Hi all.

I have a ruleset like this:

MODEL_NUMBER1 AND BTT = SUBTYPE1
MODEL_NUMBER2 AND CTT = SUBTYPE2
MODEL_NUMBER3 AND RTT = SUBTYPE3
MODEL_NUMBER4 AND PTT = SUBTYPE4

My dataset has the MODEL_NUMBER value in 5 fields (IP_TYPE1...IP_TYPE5) and the other value in the field IP_KIND.

I need to produce a resulting field with the same logic in a new field. I am doing something like this:

sourcetype=temp | 
eval RESULTING_FIELD = if(IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1" AND IP_KIND == "BTT", "SUBTYPE1", "OTHER")

Works fine for the first subtype, but how I can produce a complete sentence with all fields? I tried with case without success (no OTHER).

Thanks!

0 Karma
Reply

ryhluc01
Communicator
‎03-01-2019 11:27 AM

Please choose an answer for this question

0 Karma
Reply

somesoni2
Revered Legend
‎10-30-2016 05:04 PM

Since you're more than 2 condition, you should eval-case instead of eval-if. Like this

 sourcetype=temp | 
 eval RESULTING_FIELD = if((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")
Reply

changux
Builder
‎10-30-2016 07:14 PM

Thanks. You mean:

  sourcetype=temp | 
  eval RESULTING_FIELD = case((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")

My resulting field only shows OTHER, any idea?

Reply

changux
Builder
‎10-30-2016 07:30 PM

Solved, problem with accents into IP_TYPE strings.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-31-2016 07:17 AM

There's no "you should use eval case", it's a preference in my humble opinion.

Did you try my search?

Reply

jkat54
SplunkTrust
SplunkTrust
‎10-30-2016 03:22 PM 
See if this works: (put those ORs in parenthesis)

 sourcetype=temp | 
 eval RESULTING_FIELD = if((IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1") AND IP_KIND == "BTT", "SUBTYPE1", "OTHER")
Reply

jkat54
SplunkTrust
SplunkTrust
‎10-30-2016 03:35 PM

Or maybe I'm misunderstanding your request here.

If you're trying to have the same if but for model number 2, 3, etc... Try this

first zip the fields into one field to help shorten your if/case statement:

 |eval a=mvzip(IP_TYPE1,IP_TYPE2) | eval b=mvzip(IP_TYPE3,IP_TYPE4)| eval c=mvzip(a,b) | eval d=mvzip(c,IP_TYPE5)

Then use if/case with match:

   | eval result=if((match(d,".*MODEL NUMBER 1.*") AND IP_KIND=="BTT"),"Subtype1",if((match(d,".*MODEL NUMBER 2.*") AND IP_KIND=="BTT"),"subtype2","other"))

For each other subtype replace "other" with another if match statement. Just remember to add another ending parens ")" at the end for each if you start.

It's usually the syntax that gets you on these long if or case statements.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...