Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to work with nested Ifs and cases in a query?

mjon395
Explorer
‎06-27-2022 03:53 PM

Hello,

It's possible that I've had too long of a day, but I can't wrap my head around nesting many ifs.  Is anyone willing to help me out?  I am really bad at writing out SPL queries to make it visually understanding with parentheses and commas.  Does anyone have some additional tips on that as well that would be useful for these nested scenarios?

For example:

 

 

 

 

 

| eval new_field = if(pass_fail="fail",
  if(importance="0" OR importance="1",
    case(
        Days<7 OR State="Online","Gold",
	Days >=7 AND Days<14,"Orange",
	Days>=14,"Red"),
    if(importance="2",
        case(
	    Days<30 OR State="Online","Gold",
	    Days >=30 AND Days<60,"Orange",
	    Days>=60,"Red"),
        if(importance="3",
            case(
	      Days<60 OR State="Online","Gold",
	      Days >=60 AND Days<120,"Orange",
	      Days>=120,"Red"),
            "importance_3_false"),
        "importance_2_false"),
    "importance_1_0_false"),
"main_if_fail")

 

 

 

 

The idea is to break out into a newfield by first looking at only the "fail" items, and then further breaking down the "fail" items by their importance (which can be 0, 1, 2, 3) where 0&1, 2, and 3 have their own case statements.  All the case statements and ifs should be true, and the "importance_3_false" (for example) are more for debugging and should never actually show in my output.

I appreciate any help and thank you.

 

 

 

 

Error in 'eval' command: The arguments to the 'if' function are invalid.

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-27-2022 04:31 PM

I believe you may be looking for this syntax

| eval new_field = if(pass_fail="fail",
  case(
    importance="0" OR importance="1", case(
        Days<7 OR State="Online","Gold",
	    Days >=7 AND Days<14,"Orange",
	    Days>=14,"Red",
	    1==1,"importance_1_0_false"),
    importance="2", case(
	    Days<30 OR State="Online","Gold",
	    Days >=30 AND Days<60,"Orange",
	    Days>=60,"Red",
	    1==1,"importance_2_false"),
    importance="3", case(
        Days<60 OR State="Online","Gold",
	    Days >=60 AND Days<120,"Orange",
	    Days>=120,"Red",
        1==1,"importance_3_false"),
     1==1,"importance_fail"),
     "main_if_fail")

It can often be confusing to use nested ifs, so above has a single if checking for pass_fail="fail".

After that it checks importance value with CASE not IF and then has the nested case to check for the Days condition.

Then there is a1==1,"importance_fail", which is the case where pass_fail="fail" and importance does not match 0,1,2 or 3.

Hope this helps.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-27-2022 04:31 PM

I believe you may be looking for this syntax

| eval new_field = if(pass_fail="fail",
  case(
    importance="0" OR importance="1", case(
        Days<7 OR State="Online","Gold",
	    Days >=7 AND Days<14,"Orange",
	    Days>=14,"Red",
	    1==1,"importance_1_0_false"),
    importance="2", case(
	    Days<30 OR State="Online","Gold",
	    Days >=30 AND Days<60,"Orange",
	    Days>=60,"Red",
	    1==1,"importance_2_false"),
    importance="3", case(
        Days<60 OR State="Online","Gold",
	    Days >=60 AND Days<120,"Orange",
	    Days>=120,"Red",
        1==1,"importance_3_false"),
     1==1,"importance_fail"),
     "main_if_fail")

It can often be confusing to use nested ifs, so above has a single if checking for pass_fail="fail".

After that it checks importance value with CASE not IF and then has the nested case to check for the Days condition.

Then there is a1==1,"importance_fail", which is the case where pass_fail="fail" and importance does not match 0,1,2 or 3.

Hope this helps.

 

0 Karma
Reply
Solved! Jump to solution

mjon395
Explorer
‎06-29-2022 12:20 PM

Thanks!  This worked perfectly, and the nested cases instead of ifs really makes it a lot more understandable for me.  I'm pretty sure I will need to go one step deeper, so a nested nested case, but should be doable with some trial and error!

 

Thanks for pointing me the right way.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...