Splunk Search

Nested comparisons (using AND / OR with IF / CASE functions)- How would I add a second condition?

mark_cet
Path Finder

Hi everyone,

 

I am attempting to implement some logic in my alert searches but I can't seem to figure out how to do it.

 

I have some event data coming into Splunk that I want to trigger a Service Now incident creation using a priority value based on the event severity and the host environment (test, stage, prod, DR).

 

I am using a case statement to assign a severity ID depending on the alert severity:

| eval severity_id=case(Severity=="critical", 6, Severity=="major", 5, 1==1, 3)

 

If I want to add a second condition to check the value of the hostEnvironment field before setting the severity ID what would be the best way to do this?

E.G. If the severity = "critical" AND hostEnvironment = test then severity ID = 3.

E.G. If the severity = "critical" AND hostEnvironment = prod then severity ID = 6

etc. 

I am hoping there is a way to nest the comparison functions. 

 

Thanks in advance.

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You don't have to nest the conditionals.  You can just use the same statements as in your explanation.

 

| eval severity_id=case(Severity=="critical" AND hostEnvironment ="prod", 6, Severity=="critical" AND hostEnvironment ="test", 3, Severity=="major", 5, 1==1, 3)

 

To nest conditional just put another case or if function in place of the value clause.

 

| eval severity_id=case(Severity=="critical", case(hostEnvironment="prod", 6, hostEnvironment="test", 3, 1==1, 3), Severity=="major", 5, 1==1, 3)

 

Or an easier to read version:

 

| eval severity_id=case(
    Severity=="critical", 
       case(hostEnvironment="prod", 6, 
            hostEnvironment="test", 3, 
            1==1, 3), 
    Severity=="major", 5,
    1==1, 3)

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You don't have to nest the conditionals.  You can just use the same statements as in your explanation.

 

| eval severity_id=case(Severity=="critical" AND hostEnvironment ="prod", 6, Severity=="critical" AND hostEnvironment ="test", 3, Severity=="major", 5, 1==1, 3)

 

To nest conditional just put another case or if function in place of the value clause.

 

| eval severity_id=case(Severity=="critical", case(hostEnvironment="prod", 6, hostEnvironment="test", 3, 1==1, 3), Severity=="major", 5, 1==1, 3)

 

Or an easier to read version:

 

| eval severity_id=case(
    Severity=="critical", 
       case(hostEnvironment="prod", 6, 
            hostEnvironment="test", 3, 
            1==1, 3), 
    Severity=="major", 5,
    1==1, 3)

 

 

---
If this reply helps you, Karma would be appreciated.

mark_cet
Path Finder

Thank you very much for this richgalloway!

 

This worked perfectly.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...