Splunk Search

If Statment or Nested If

hartfoml
Motivator

This statement works:
| eval Reason = if (Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")

But how to I evaluate it so that reason can be something different for different codes.

I tried this and it did not work:
| eval Reason = if (Failure_Code = "0x18", "Usually means bad password","(if (Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")")

Is there any way to use "OR" maybe nesting the "if" in the not true section like I did above maybe several eval statements but that didn’t work either.

Tags (2)
1 Solution

Ayn
Legend

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

View solution in original post

stephane_cyrill
Builder

simply .......

0 Karma

rbrownlee
Engager

You may use multiple IF statements in the same eval, just remember to close them all.

For example:
| eval StartNum = if (
substr(TwitterID,1,1) = "0", 0,
if(substr(TwitterID,1,1) = "1", 1,
if(substr(TwitterID,1,1) = "2", 2,
if(substr(TwitterID,1,1) = "3", 3,
"over 3"
))))

TonyLeeVT
Builder

Thank you for answering the nested if statement question instead of proposing a case statement. The colorPalette expression option does not appear to like case statements.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

However, your nested if option worked great. For example:

<colorPalette type="expression">if(value LIKE "Server 2003", "#00cc00", if(value LIKE "Windows 10","#00cc00","#D93F3C"))</colorPalette>

niketn
Legend

@TonyLeeVT thanks for sharing this hidden nugget! I thought Simple XML JS extesion was the only way for this scenario 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bagarwal
Path Finder

Thanks a lot!! It helps 🙂

0 Karma

Skeeve
Engager

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

Alternatively one can use the coalesce function:

| eval Reason = coalesce( case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours"), "Don't know")

hartfoml
Motivator

thanks this is a great addon to the case statment for when the value is not known

0 Karma

Ayn
Legend

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

yvassilyeva
Path Finder

HI! It seems like you might see where i am having trouble with the if statement. Thank you in advance!

I have a field called Status, and once of the values is called Queue. I want to replace the word Queue with either Risk or Missed - that is dependent on another field called Dep. So if  Dep=Risk, then the Queue value should be renamed Risk, and if Dep=Missed, then Queue value should be renamed as Missed. Here is my search:

| eval Status = if(Status="Queue", (case(Dep="RISK", RISK), (Dep="MISSED", MISSED)))

0 Karma

rfiscus
Path Finder

Thanks, that got it for me.

ECovell
Path Finder

Ayn...you are such an amazing help!!

0 Karma

hartfoml
Motivator

I put "" around the error code number "0x18" and it worked. thanks for the help this fixes it for me.

0 Karma

Ayn
Legend

You forgot to put a statement to evaluate before "Don't_Know". Put something like 1=1 in there and it should work.

0 Karma

hartfoml
Motivator

Thanks Ayn

I tried this case statment:
| eval Reason = case(Failure_Code == 0x18, "Usually means bad password",Failure_Code == 0x12, "Account disabled, expired, locked out, logon hours","Don't_Know")

but I most have the syntax wrong as it did not work.

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...