Splunk Search

If Statment or Nested If

Motivator

This statement works:
| eval Reason = if (FailureCode = "0x12", "Account disabled, expired, locked out, logon hours","Don'tKnow")

But how to I evaluate it so that reason can be something different for different codes.

I tried this and it did not work:
| eval Reason = if (FailureCode = "0x18", "Usually means bad password","(if (FailureCode = "0x12", "Account disabled, expired, locked out, logon hours","Don't_Know")")

Is there any way to use "OR" maybe nesting the "if" in the not true section like I did above maybe several eval statements but that didn’t work either.

Tags (2)
1 Solution

Legend

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

View solution in original post

simply .......

0 Karma

Engager

You may use multiple IF statements in the same eval, just remember to close them all.

For example:
| eval StartNum = if (
substr(TwitterID,1,1) = "0", 0,
if(substr(TwitterID,1,1) = "1", 1,
if(substr(TwitterID,1,1) = "2", 2,
if(substr(TwitterID,1,1) = "3", 3,
"over 3"
))))

Builder

Thank you for answering the nested if statement question instead of proposing a case statement. The colorPalette expression option does not appear to like case statements.

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

However, your nested if option worked great. For example:

<colorPalette type="expression">if(value LIKE "Server 2003", "#00cc00", if(value LIKE "Windows 10","#00cc00","#D93F3C"))</colorPalette>

SplunkTrust
SplunkTrust

@TonyLeeVT thanks for sharing this hidden nugget! I thought Simple XML JS extesion was the only way for this scenario 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Thanks a lot!! It helps 🙂

0 Karma

Engager

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

Alternatively one can use the coalesce function:

| eval Reason = coalesce( case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours"), "Don't know")

Motivator

thanks this is a great addon to the case statment for when the value is not known

0 Karma

Legend

You want case:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours")

case does not by itself have a finishing default value if all of the previous statements are false, but as all statements are processed sequentially and the first matching one will be returned, you can easily finish off with a default value simply by putting in a statement you know to be true:

| eval Reason = case(Failure_Code = "0x18", "Usually means bad password",Failure_Code = "0x12", "Account disabled, expired, locked out, logon hours", 1=1, "Don't know")

View solution in original post

Path Finder

HI! It seems like you might see where i am having trouble with the if statement. Thank you in advance!

I have a field called Status, and once of the values is called Queue. I want to replace the word Queue with either Risk or Missed - that is dependent on another field called Dep. So if  Dep=Risk, then the Queue value should be renamed Risk, and if Dep=Missed, then Queue value should be renamed as Missed. Here is my search:

| eval Status = if(Status="Queue", (case(Dep="RISK", RISK), (Dep="MISSED", MISSED)))

0 Karma

Path Finder

Thanks, that got it for me.

Path Finder

Ayn...you are such an amazing help!!

0 Karma

Motivator

I put "" around the error code number "0x18" and it worked. thanks for the help this fixes it for me.

0 Karma

Legend

You forgot to put a statement to evaluate before "Don't_Know". Put something like 1=1 in there and it should work.

0 Karma

Motivator

Thanks Ayn

I tried this case statment:
| eval Reason = case(FailureCode == 0x18, "Usually means bad password",FailureCode == 0x12, "Account disabled, expired, locked out, logon hours","Don't_Know")

but I most have the syntax wrong as it did not work.

0 Karma