Splunk Search

Facing trouble in validation of conditions using if statement

1132307
New Member

index=abcd source=xyz
| FILTERS
| eval s= case(S > 0 AND S <= 2, "V", S > 0 AND S <= 3, "O", S > 3 AND S <= 4, "D", S > 4 AND S <=5,"E")
| chart count over field by s

I'm trying to evaluate a field with the above given conditions. First condition limit is (0-2) and the second condition limit is (0-3).
The issue i'm facing is, as the first condition is satisfied it is not checking the second condition. But i need both the conditions to be Validated.

0 Karma

janispelss
Path Finder

As mentioned by others, that's how the case function is supposed to work. What would you expect "s" to evaluate to when "S" equals 1 or 2?

0 Karma

niketn
Legend

@1132307 so what do you mean by both conditions to be validated? If both conditions are true which one should be picked? As @richgalloway has mentioned Splunk will pick first condition which evaluates to true. If you always want to pick the second condition then swap your conditions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

1132307
New Member

Is there any other command for this issue? So that it can validate both conditions to get the result.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's how case works in Splunk. Conditions are evaluated in order. Evaluation stops once a condition is met.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...