how to specify or condition in if statement

thambisetty · ‎04-28-2014

Hi I want to write the search like this..

if(file_path=("C:" OR "D:" OR "E:" OR "c:" OR "d:" OR "e:"),"Local",file_path=("\\"),"Network",file_path=(".com" OR ".org"),"Web",USB)

Plz help me

————————————
If this helps, give a like below.

rsennett_splunk · ‎04-28-2014

You're looking for something like this, I believe:

eval path_type = if(match(file_path,"^(C|D|E|c|d|e)+:.+"),"Local",if(match(file_path,"^\\\\"),"Network",if(match(file_path,"\.(com|org)"),"Web",USB)))| table file_path path_type

The syntax is:
eval newfield = if(match(oldfield,"regex to match"),then,else)
and you put another if(match... in place of the "ELSE" value until you are done and finish with "USB"

It's late so my regex might be off.... but you get the idea:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/CommonEvalFunctions
Or if you want it "inline": http://docs.splunk.com/Documentation/Splunk/6.0.3/Search/Usestatswithevalexpressionsandfunctions

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

martin_mueller · ‎04-28-2014

To avoid walls of closing parentheses you can use case() that takes any number of pairs of condition and value and returns the first value where the condition holds:

... | eval field = case(match(oldfield, "regex"), "foo", match(oldfield, "another regex"), "bar", ...)

how to specify or condition in if statement

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?