Solved: If statement with AND

mansel_scheffel · ‎08-17-2016

Hi,

Is it possible to use AND in an eval if statement.. for instance if(volume =10, "normal" if(volume >35 AND <40, "loud")) and so on.. I would like to add a few more if's into that as well..Any thoughts on how to structure it?

javiergn · ‎08-17-2016

Yes you could do that with if, but the moment you start nesting multiple ifs it's going to become hard to read.
Why don't you use case instead?

eval whatever = case (
    volume = 10, "normal",
    volume > 35 AND volume < 40, "loud",
    1 = 1, "default rule"
)

View solution in original post

javiergn · ‎08-17-2016

Yes you could do that with if, but the moment you start nesting multiple ifs it's going to become hard to read.
Why don't you use case instead?

eval whatever = case (
    volume = 10, "normal",
    volume > 35 AND volume < 40, "loud",
    1 = 1, "default rule"
)

hardikJsheth · ‎08-17-2016

You can use case statement instead the syntax is
case (condition , TRUE, FALSE)

You can have nested case statements as well for eg.
|index=main | eval system=case(isnotnull(dest) AND dest!="unknown",dest,isnotnull(src) AND src!="unknown",src,isnotnull(dvc) AND dvc!="unknown",dvc,1=1,"unknown")

If statement with AND

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation