Splunk Search

How do I edit my eval syntax with multiple if conditions to produce a certain field?

Builder

Hi all.

I have a ruleset like this:

MODEL_NUMBER1 AND BTT = SUBTYPE1
MODEL_NUMBER2 AND CTT = SUBTYPE2
MODEL_NUMBER3 AND RTT = SUBTYPE3
MODEL_NUMBER4 AND PTT = SUBTYPE4

My dataset has the MODELNUMBER value in 5 fields (`IPTYPE1...IPTYPE5) and the other value in the fieldIPKIND`.

I need to produce a resulting field with the same logic in a new field. I am doing something like this:

sourcetype=temp | 
eval RESULTING_FIELD = if(IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1" AND IP_KIND == "BTT", "SUBTYPE1", "OTHER")

Works fine for the first subtype, but how I can produce a complete sentence with all fields? I tried with case without success (no OTHER).

Thanks!

0 Karma

Communicator

Please choose an answer for this question

0 Karma

SplunkTrust
SplunkTrust

Since you're more than 2 condition, you should eval-case instead of eval-if. Like this

 sourcetype=temp | 
 eval RESULTING_FIELD = if((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")

Builder

Thanks. You mean:

  sourcetype=temp | 
  eval RESULTING_FIELD = case((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")

My resulting field only shows OTHER, any idea?

Builder

Solved, problem with accents into IP_TYPE strings.

0 Karma

SplunkTrust
SplunkTrust

There's no "you should use eval case", it's a preference in my humble opinion.

Did you try my search?

SplunkTrust
SplunkTrust
See if this works: (put those ORs in parenthesis)

 sourcetype=temp | 
 eval RESULTING_FIELD = if((IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1") AND IP_KIND == "BTT", "SUBTYPE1", "OTHER")

SplunkTrust
SplunkTrust

Or maybe I'm misunderstanding your request here.

If you're trying to have the same if but for model number 2, 3, etc... Try this

first zip the fields into one field to help shorten your if/case statement:

 |eval a=mvzip(IP_TYPE1,IP_TYPE2) | eval b=mvzip(IP_TYPE3,IP_TYPE4)| eval c=mvzip(a,b) | eval d=mvzip(c,IP_TYPE5) 

Then use if/case with match:

   | eval result=if((match(d,".*MODEL NUMBER 1.*") AND IP_KIND=="BTT"),"Subtype1",if((match(d,".*MODEL NUMBER 2.*") AND IP_KIND=="BTT"),"subtype2","other"))

For each other subtype replace "other" with another if match statement. Just remember to add another ending parens ")" at the end for each if you start.

It's usually the syntax that gets you on these long if or case statements.