Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to check if multiple conditions are true?

iomega311
Explorer
‎03-17-2022 04:41 PM

I am looking for a way to check for multiple conditions to match, and if they are met, output a specific word... such as "true".

Example:
my_cool_search_here | eval condition_met=if(user=* AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true")

I don't know if that makes sense... but essentially I want to check whether "user" has ANY value, and then if the fields "DoW", "HoD", and "hostname" have specific values out of a possible range.... and if all that matches, then set the value of "condition_met" to "true".

I know I can do this for a single field/value, but how would I accomplish this for multiple different conditions?

Thanks!

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 12:24 AM 
my_cool_search_here | eval condition_met=if(isnotnull(user) AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true", null())
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎03-17-2022 07:44 PM

Hi @iomega311 

as you only want true results, 
please use Case condition and , 

I have updated the query with CASE condition and filed values in qutes 

Query 1 

my_cool_search_here | eval condition_met=case(user="*" AND (DoW="Mon" OR DoW="Wed") AND (HoD="01" OR HoD="02" OR HoD="03") AND (hostname="hostname.hostdomain" OR hostname="hostname.hostdomain"), "true")

OR
Query 2 

my_cool_search_here | eval condition_met=case(user="*" AND DoW IN ("Mon","Wed") AND HoD IN ("01","02","03") AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true")

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...