Solved: If Statment or Nested If

hartfoml · ‎06-17-2011

This statement works:
| eval Reason = if (Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")

But how to I evaluate it so that reason can be something different for different codes.

I tried this and it did not work:
| eval Reason = if (Failure_Code = "0x18", "Usually means bad password","(if (Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")")

Is there any way to use "OR" maybe nesting the "if" in the not true section like I did above maybe several eval statements but that didn’t work either.

Ayn · ‎06-17-2011

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

View solution in original post

stephane_cyrill · ‎04-26-2015

simply .......

rbrownlee · ‎04-08-2014

You may use multiple IF statements in the same eval, just remember to close them all.

For example:
| eval StartNum = if (
substr(TwitterID,1,1) = "0", 0,
if(substr(TwitterID,1,1) = "1", 1,
if(substr(TwitterID,1,1) = "2", 2,
if(substr(TwitterID,1,1) = "3", 3,
"over 3"
))))

TonyLeeVT · ‎08-04-2018

Thank you for answering the nested if statement question instead of proposing a case statement. The colorPalette expression option does not appear to like case statements.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

However, your nested if option worked great. For example:

<colorPalette type="expression">if(value LIKE "Server 2003", "#00cc00", if(value LIKE "Windows 10","#00cc00","#D93F3C"))</colorPalette>

niketn · ‎08-04-2018

@TonyLeeVT thanks for sharing this hidden nugget! I thought Simple XML JS extesion was the only way for this scenario 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

bagarwal · ‎05-31-2016

Thanks a lot!! It helps 🙂

Skeeve · ‎02-22-2012

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

Alternatively one can use the coalesce function:

| eval Reason = coalesce( case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours"), "Don't know")

hartfoml · ‎02-22-2012

thanks this is a great addon to the case statment for when the value is not known

Ayn · ‎06-17-2011

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

yvassilyeva · ‎08-27-2020

HI! It seems like you might see where i am having trouble with the if statement. Thank you in advance!

I have a field called Status, and once of the values is called Queue. I want to replace the word Queue with either Risk or Missed - that is dependent on another field called Dep. So if Dep=Risk, then the Queue value should be renamed Risk, and if Dep=Missed, then Queue value should be renamed as Missed. Here is my search:

| eval Status = if(Status="Queue", (case(Dep="RISK", RISK), (Dep="MISSED", MISSED)))

rfiscus · ‎11-02-2015

Thanks, that got it for me.

ECovell · ‎04-15-2014

Ayn...you are such an amazing help!!

hartfoml · ‎06-17-2011

I put "" around the error code number "0x18" and it worked. thanks for the help this fixes it for me.

Ayn · ‎06-17-2011

You forgot to put a statement to evaluate before "Don't_Know". Put something like 1=1 in there and it should work.

hartfoml · ‎06-17-2011

Thanks Ayn

I tried this case statment:
| eval Reason = case(Failure_Code == 0x18, "Usually means bad password",Failure_Code == 0x12, "Account disabled, expired, locked out, logon hours","Don't_Know")

but I most have the syntax wrong as it did not work.

If Statment or Nested If

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)