Splunk Search

How to check if multiple conditions are true?

iomega311
Explorer

I am looking for a way to check for multiple conditions to match, and if they are met, output a specific word... such as "true".

Example:
my_cool_search_here | eval condition_met=if(user=* AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true")

I don't know if that makes sense... but essentially I want to check whether "user" has ANY value, and then if the fields "DoW", "HoD", and "hostname" have specific values out of a possible range.... and if all that matches, then set the value of "condition_met" to "true".

I know I can do this for a single field/value, but how would I accomplish this for multiple different conditions?

Thanks!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
my_cool_search_here | eval condition_met=if(isnotnull(user) AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true", null())
0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @iomega311 

as you only want true results, 
please use Case condition and , 

I have updated the query with CASE condition and filed values in qutes 

Query 1 

my_cool_search_here | eval condition_met=case(user="*" AND (DoW="Mon" OR DoW="Wed") AND (HoD="01" OR HoD="02" OR HoD="03") AND (hostname="hostname.hostdomain" OR hostname="hostname.hostdomain"), "true")

OR
Query 2 

my_cool_search_here | eval condition_met=case(user="*" AND DoW IN ("Mon","Wed") AND HoD IN ("01","02","03") AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true")

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...