Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If statement with AND
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to use AND in an eval if statement.. for instance if(volume =10, "normal" if(volume >35 AND <40, "loud")) and so on.. I would like to add a few more if's into that as well..Any thoughts on how to structure it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you could do that with if, but the moment you start nesting multiple ifs it's going to become hard to read.
Why don't you use case instead?
eval whatever = case (
volume = 10, "normal",
volume > 35 AND volume < 40, "loud",
1 = 1, "default rule"
)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you could do that with if, but the moment you start nesting multiple ifs it's going to become hard to read.
Why don't you use case instead?
eval whatever = case (
volume = 10, "normal",
volume > 35 AND volume < 40, "loud",
1 = 1, "default rule"
)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use case statement instead the syntax is
case (condition , TRUE, FALSE)
You can have nested case statements as well for eg.
|index=main | eval system=case(isnotnull(dest) AND dest!="unknown",dest,isnotnull(src) AND src!="unknown",src,isnotnull(dvc) AND dvc!="unknown",dvc,1=1,"unknown")
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
