Splunk Search

## How to make a multiple condition IF statement work?

Motivator

Hi,

This should be easy but for some reason, my brain is making it hard. I'm trying to get a 2-condition IF statement to work and well needless to say not successfully so far.

Here is the synopsis:

If the model of a camera is iCamera2-C then add -20 to the rssiid field, but only if the rssiid field is NOT zero. I've tried multiple different ways of approaching this and I can get one condition to work but not both.

Here is the latest non-working one

``````eval rssiid=if((cmodel!="iCamera2-C") OR (rssiid=0),rssiid,rssiid+-20)
``````
Tags (3)
1 Solution
SplunkTrust

``````....| eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+20,rssiid)
``````
SplunkTrust

``````....| eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+20,rssiid)
``````
Motivator

no joy 😞 . I had tried that one earlier but tried it again and no luck. Something tells me it has to do with this mvzip/mvexpand thing you helped me with before. Maybe the whole query would help

``````index="camera_status" sourcetype=access_combined_camerastatus 8773|rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(macid,rssiid,"###") |mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)"|eval rssiid=if(rssiid="dB",0,rssiid)|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|stats list(macid) as MAC, count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"
``````
SplunkTrust

Whats the output of above command (what values are there in rssiid column, are they zero ?).

Motivator

Here is a sample

``````Current RSSI

0
0
-47
0

-27
-60
-45
-47
-59
-48

-52
-61
0
0

-51
-35
-45
-52
-45
-45
``````
SplunkTrust

Try adding this eval before the iCamera2 eval

``````...| eval rssiid=tonumber(trim(rssiid)) |eval rssiid=if(cmodel="iCamera2-C....."
``````
Motivator

Got it, using your help on the mvzip as a primer 🙂 . TY!!!

``````index="cox_camera_status" sourcetype=access_combined_cox_camerastatus |rex max_match=0 "Premise=\s+(?<premiseid>\d+)"|rex max_match=0 "Mac=\s+(?<macid>[a-fA-F0-9\.:-]{12,17})"|rex max_match=0 "RSSI=\s+(?<rssiid>[^\s]+)"|rex max_match=0 "Model=\s+(?<cmodel>.+)"|dedup macid|eval temp=mvzip(mvzip(macid,rssiid,"###"),cmodel,"###")|mvexpand temp | rex field=temp "(?<macid>.+)###(?<rssiid>.+)###(?<cmodel>.+)"|eval rssiid=if(cmodel="iCamera2-C" AND rssiid!=0, rssiid+-20,rssiid)|eval rssiid=if(rssiid="dB",0,rssiid)|stats list(macid) as MAC, list(cmodel) as "Camera Model" count(macid) as "Number of Cameras", list(rssiid) as RSSI  by premiseid|sort premiseid RSSI|rename RSSI as "Current RSSI"|rename premiseid as "PREMISE - Click for Detail"
``````
Get Updates on the Splunk Community!

#### Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

#### Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

#### We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...