Splunk Search

How do I edit my eval syntax with multiple if conditions to produce a certain field?

changux
Builder

Hi all.

I have a ruleset like this:

MODEL_NUMBER1 AND BTT = SUBTYPE1
MODEL_NUMBER2 AND CTT = SUBTYPE2
MODEL_NUMBER3 AND RTT = SUBTYPE3
MODEL_NUMBER4 AND PTT = SUBTYPE4

My dataset has the MODEL_NUMBER value in 5 fields (IP_TYPE1...IP_TYPE5) and the other value in the field IP_KIND.

I need to produce a resulting field with the same logic in a new field. I am doing something like this:

sourcetype=temp | 
eval RESULTING_FIELD = if(IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1" AND IP_KIND == "BTT", "SUBTYPE1", "OTHER")

Works fine for the first subtype, but how I can produce a complete sentence with all fields? I tried with case without success (no OTHER).

Thanks!

0 Karma

ryhluc01
Communicator

Please choose an answer for this question

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Since you're more than 2 condition, you should eval-case instead of eval-if. Like this

 sourcetype=temp | 
 eval RESULTING_FIELD = if((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")

changux
Builder

Thanks. You mean:

  sourcetype=temp | 
  eval RESULTING_FIELD = case((IP_TYPE1="MODEL NUMBER 1" OR IP_TYPE2="MODEL NUMBER 1" OR IP_TYPE3="MODEL NUMBER 1" OR IP_TYPE4="MODEL NUMBER 1" OR IP_TYPE5="MODEL NUMBER 1") AND IP_KIND="BTT", "SUBTYPE1", (IP_TYPE1="MODEL NUMBER 2" OR IP_TYPE2="MODEL NUMBER 2" OR IP_TYPE3="MODEL NUMBER 2" OR IP_TYPE4="MODEL NUMBER 2" OR IP_TYPE5="MODEL NUMBER 2") AND IP_KIND="CTT", "SUBTYPE2", (IP_TYPE1="MODEL NUMBER 3" OR IP_TYPE2="MODEL NUMBER 3" OR IP_TYPE3="MODEL NUMBER 3" OR IP_TYPE4="MODEL NUMBER 3" OR IP_TYPE5="MODEL NUMBER 3") AND IP_KIND="RTT", "SUBTYPE3", (IP_TYPE1="MODEL NUMBER 4" OR IP_TYPE2="MODEL NUMBER 4" OR IP_TYPE3="MODEL NUMBER 4" OR IP_TYPE4="MODEL NUMBER 4" OR IP_TYPE5="MODEL NUMBER 4") AND IP_KIND="PTT", "SUBTYPE4", true(),"OTHER")

My resulting field only shows OTHER, any idea?

changux
Builder

Solved, problem with accents into IP_TYPE strings.

0 Karma

jkat54
SplunkTrust
SplunkTrust

There's no "you should use eval case", it's a preference in my humble opinion.

Did you try my search?

jkat54
SplunkTrust
SplunkTrust
See if this works: (put those ORs in parenthesis)

 sourcetype=temp | 
 eval RESULTING_FIELD = if((IP_TYPE1 == "MODEL NUMBER 1" OR IP_TYPE2 == "MODEL NUMBER 1" OR IP_TYPE3 == "MODEL NUMBER 1" OR IP_TYPE4 == "MODEL NUMBER 1" OR IP_TYPE5 == "MODEL NUMBER 1") AND IP_KIND == "BTT", "SUBTYPE1", "OTHER")

jkat54
SplunkTrust
SplunkTrust

Or maybe I'm misunderstanding your request here.

If you're trying to have the same if but for model number 2, 3, etc... Try this

first zip the fields into one field to help shorten your if/case statement:

 |eval a=mvzip(IP_TYPE1,IP_TYPE2) | eval b=mvzip(IP_TYPE3,IP_TYPE4)| eval c=mvzip(a,b) | eval d=mvzip(c,IP_TYPE5) 

Then use if/case with match:

   | eval result=if((match(d,".*MODEL NUMBER 1.*") AND IP_KIND=="BTT"),"Subtype1",if((match(d,".*MODEL NUMBER 2.*") AND IP_KIND=="BTT"),"subtype2","other"))

For each other subtype replace "other" with another if match statement. Just remember to add another ending parens ")" at the end for each if you start.

It's usually the syntax that gets you on these long if or case statements.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...