How to perform nested if conditions in Splunk

naveenurs · ‎07-26-2013

Example 1:

uatoken0=Linux
uatoken1=U
uatoken2=Android
uatoken3=en-us

Example 2:

uatoken0=Linux
uatoken1=Android 4.2.2
uatoken2=en-us

Example 3:
uatoken0=iPad
uatoken1=CPU OS 6_1_3 like Mac OS X
uatoken2=

I want to achieve the following:

**if** (uatoken0="Linux" **AND** **if** uatoken1="U")==**TRUE** 
**then** OS=uatoken2
**else if**(uatoken0="Linux" **AND** **if** uatoken1="Android 4.2.2"
**then** OS=uatoken1
**else** OS=uatoken0;

This is what I have accomplished so far:

|eval uatokentmp=split(uatoken,";")
|eval uatoken0=mvindex(uatokentmp,0)
|eval uatoken1=mvindex(uatokentmp,1)
|eval uatoken2=mvindex(uatokentmp,2)
|eval uatoken3=mvindex(uatokentmp,3)
|eval uatoken4=mvindex(uatokentmp,4)
| eval uatoken5=mvindex(uatokentmp,5)
|eval OS=if(mvindex(uatokentmp,0)="Linux",
    (if(mvindex(uatokentmp,1)="U",
                mvindex(uatokentmp,2),
                mvindex(uatokentmp,1))),
    mvindex(uatokentmp,0)) 
| table OS uatoken0 uatoken1 uatoken2 uatoken3 uatoken4 uatoken5
|sort OS

This works for Example 2 and Example 3. However, it fails for Example 1. The output for Example 1 is OS="U".

I am not able to figure out what is wrong. Need another set of eyes to go through my code and help me.
If there is a better way to do this, please advise.

This is the original query that I was trying to run when I posted the question:
eventtype=video|eval uatokentmp=split(uatoken,";")
|eval uatoken0=mvindex(uatokentmp,0)
|eval uatoken1=mvindex(uatokentmp,1)
|eval uatoken2=mvindex(uatokentmp,2)
|eval uatoken3=mvindex(uatokentmp,3)
|eval uatoken4=mvindex(uatokentmp,4)
| eval uatoken5=mvindex(uatokentmp,5)
|eval OS=if(mvindex(uatokentmp,0)="Linux",
(if(mvindex(uatokentmp,1)="U",
mvindex(uatokentmp,2),
mvindex(uatokentmp,1))),
mvindex(uatokentmp,0))
| table OS uatoken0 uatoken1 uatoken2 uatoken3 uatoken4 uatoken5
|sort OS

Sample uatoken output
iPad; CPU OS 6_1_3 like Mac OS X
Windows NT 6.2; WOW64
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E
Linux; Android 4.3; Nexus 7 Build/JWR66V
Windows NT 5.1
Windows NT 6.1; WOW64
Macintosh; Intel Mac OS X 10_8_4
Macintosh; Intel Mac OS X 10.8; rv:22.0
Windows NT 6.1; WOW64; rv:22.0
Macintosh; Intel Mac OS X 10_6_8
Windows NT 6.0; rv:22.0
compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MDDCJS
iPhone; CPU iPhone OS 6_1_4 like Mac OS X
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0
iPhone; CPU iPhone OS 6_1_3 like Mac OS X
Macintosh; Intel Mac OS X 10.6; rv:22.0
Windows NT 5.1; rv:22.0
Linux; U; Android 2.3.4; en-us; SCH-R720 Build/GINGERBREAD
Linux; U; Android 2.3.6; en-us; X501_USA_Cricket Build/GRK39F
Linux; U; Android 4.2.2; en-us; SAMSUNG-SGH-I537 Build/JDQ39
Windows NT 6.1; WOW64; rv:6.0.2
Macintosh; Intel Mac OS X 10_5_8
Windows NT 6.1; rv:22.0
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C
compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MDDCJS
compatible; Googlebot/2.1; +http://www.google.com/bot.html
Windows NT 6.1
Linux; U; Android 4.1.1; en-us; SAMSUNG-SGH-I747 Build/JRO03L
Linux; U; Android 2.2.1; en-us; VM670 Build/FRG83
compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; yie8
iPad; CPU OS 6_0_1 like Mac OS X
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C
Linux; U; Android 4.1.2; en-us; GT-N8013 Build/JZO54K
Windows NT 6.0
compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch; MALNJS
Macintosh; Intel Mac OS X 10_7_5
Macintosh; Intel Mac OS X 10.7; rv:22.0
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; MSN Optimized;CA; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; BOIE8;ENUS
Linux; U; Android 2.3.7; en-us; 5860e Build/GWK74
X11; Ubuntu; Linux x86_64; rv:22.0
compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0
Linux; U; Android 4.1.2; en-us; SPH-L710 Build/JZO54K
Linux; U; Android 2.3.4; en-us; ADR6350 Build/GRJ22
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; BOIE9;ENUS
compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3
compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0
iPad; CPU OS 6_1_2 like Mac OS X
Windows NT 6.2
X11; Ubuntu; Linux i686; rv:19.0
Macintosh; Intel Mac OS X 10_8_2
compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0
Windows NT 6.1; rv:23.0
iPad; CPU OS 5_1_1 like Mac OS X
Android; Mobile; rv:21.0
Linux; U; Android 4.1.2; en-us; SCH-I535 Build/JZO54K
compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPDTDF; Tablet PC 2.0; .NET4.0C; InfoPath.3
Linux; U; Android 4.1.2; en-us; DROID RAZR Build/9.8.2O-72_VZW-16
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; NP06
Linux; U; Android 2.3.5; en-us; SCH-I500 Build/GINGERBREAD
iPad; CPU OS 6_1 like Mac OS X
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; USPortal
Linux; Android 4.0.3; GT-I9100T Build/IML74K
Linux; U; Android 4.1.2; en-us; HTC_PN07120/1.26.502.12 Build/JZO54K
iPhone; CPU iPhone OS 6_0 like Mac OS X
Linux; U; Android 4.0.4; en-us; KFJWI Build/IMM76D
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; EIE10;ENUSMCM
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; BRI/2; AskTbORJ/5.15.25.36191; BOIE8;ENUS
iPad; CPU OS 6_0 like Mac OS X
Linux; U; en-us; KFOT Build/IML74K
compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322
Linux; Android 4.2.2; SAMSUNG-SGH-I337 Build/JDQ39
Windows NT 6.1; rv:9.0.1
X11; Linux x86_64
Linux; Android 4.2.2; en-au; SAMSUNG GT-I9505 Build/JDQ39
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; EIE10;ENUSMSN
Linux; U; Android 2.3.4; en-us; Sprint APA7373KT Build/GRJ22
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; MS-RTC LM 8; .NET4.0C; BOIE8;ENUSMSCOM; .NET4.0E; BOIE8;ENUSMSCOM
Linux; U; Android 4.0.4; en-us; SGH-T989 Build/IMM76D
Linux; U; Android 2.3.4; en-us; NOOK BNTV250 Build/GINGERBREAD 1.4.3
Linux; U; Android 2.3.5; en-us; PantechP9070 Build/GRJ90
compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MALNJS
compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; HTC; HTC6990LVW
Linux; U; Android 2.3.4; en-us; Silk/1.0.22.153_10033210
Linux; U; Android 2.3.3; en-us; DROIDX Build/4.5.1_57_DX5-35
Linux; U; en-us; KFTT Build/IML74K
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MDDRJS
iPhone; CPU iPhone OS 5_1_1 like Mac OS X
Linux; U; Android 2.3.6; en-us; SAMSUNG-SGH-I727 Build/GINGERBREAD
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C
Linux; U; Android 4.1.2; en-us; SCH-R530U Build/JZO54K
compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0
Windows NT 6.2; WOW64; rv:22.0
PlayBook; U; RIM Tablet OS 2.1.0; en-US
compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E
Linux; U; Android 2.3.4; en-us; MB855 Build/4.5.1A-1_SUN-154_MR-1
compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C
X11; Linux i686; rv:22.0
Linux; U; Android 4.0.4; en-us; SPH-D710 Build/IMM76I
Macintosh; Intel Mac OS X 10_8_3
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E
Linux; U; Android 4.1.2; en-us; SCH-I605 Build/JZO54K
compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB7.5; chromeframe/29.0.1547.32; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C
iPhone; U; CPU iPhone OS 4_2_6 like Mac OS X; en-us
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MALC
iPad; U; CPU OS 4_3_4 like Mac OS X; en-us
iPad; U; CPU OS 4_3_5 like Mac OS X; en-us
Linux; U; Android 4.1.2; en-gb; SAMSUNG GT-I9300/I9300XXEMC2 Build/JZO54K
compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8
Windows NT 6.1; rv:19.0
Linux; Android 4.1.2; DROID RAZR Build/9.8.2O-72_VZW-16
Linux; U; Android 4.1.2; en-us; DROID BIONIC Build/9.8.2O-72_VZW-22
compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; MDDCJS
Macintosh; Intel Mac OS X 10_7_4
Linux; U; Android 2.3.6; en-us; SPH-M820-BST Build/GINGERBREAD
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152
Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk/1.0.22.153_10033210
iPhone; CPU iPhone OS 6_0_1 like Mac OS X
compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET4.0C; .NET CLR 3.0.30729
Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K
X11; Linux x86_64; rv:20.0
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8; .NET4.0E; CH2M
Macintosh; Intel Mac OS X 10.8; rv:15.0
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; .NET4.0C; .NET4.0E; InfoPath.3
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; Media Center PC 3.0; McAfee; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C
compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MATBJS
compatible; MSIE 6.0; Windows NT 5.1; SV1; BTRS101477; .NET CLR 2.0.50727
compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.1; BRI/2; OfficeLiveConnector.1.5; OfficeLivePatch.1.3
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAAU
compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920
iPhone; CPU iPhone OS 6_1 like Mac OS X
compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAU; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; BRI/2; NET_mmhpset; IE0006_ver1;EN_US
Linux; U; Android 4.0.4; en-us; C5170 Build/IML77
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDC; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C
Windows NT 6.1; rv:20.0
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E
Linux; U; Android 4.1.2; en-us; N861 Build/JZO54K
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.2; .NET4.0E; MS-RTC LM 8; Tablet PC 2.0
X11; Ubuntu; Linux i686; rv:22.0
iPod; CPU iPhone OS 6_1_3 like Mac OS X
Windows NT 5.1; rv:20.0
iPhone; CPU iPhone OS 6_1_2 like Mac OS X
Linux; U; Android 2.3.6; en-gb; GT-I9000 Build/GINGERBREAD
X11; Linux i686
compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MDDCJS
compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0
Linux; U; Android 4.1.1; en-us; EVO Build/JRO03C
iPad; U; CPU OS 4_3_1 like Mac OS X; en-us
Linux; U; Android 2.3.6; en-us; M865 Build/HuaweiM865
Linux; U; Android 4.1.1; en-us; GT-P5113 Build/JRO03C
Linux; U; Android 4.0.4; en-us; SPH-D710VMUB Build/IMM76I
Windows NT 6.1; WOW64; rv:19.0
Linux; U; Android 2.3.3; en-us; SC-02C Build/GINGERBREAD
Linux; Android 4.0.4; SAMSUNG-SGH-I717 Build/IMM76D
compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS
Macintosh; Intel Mac OS X 10.5; rv:16.0
Linux; U; Android 4.0.4; en-gb; SonyEricssonLT26i Build/6.1.A.2.45
compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB7.5; BTRS100194; .NET CLR 1.1.4322; WinNT-PAI 28.08.2009; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
Linux; U; Android 4.0.4; en-us; A210 Build/IMM76D
Linux; Android 4.0.4; SPH-D710 Build/IMM76I
Linux; U; Android 2.3.5; en-us; Sprint APA9292KT Build/GRJ90
Linux; U; Android 4.0.4; en-us; EVO Build/IMM76D
Linux; U; Android 4.0.4; en-us; C5155 Build/IML77
Linux; U; Android 4.1.2; en-au; GT-I9300 Build/JZO54K
iPad; CPU OS 5_1 like Mac OS X
BlackBerry; U; BlackBerry 9900; en-US
Linux; Android 4.2.2; Nexus 7 Build/JDQ39
compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET4.0C; BRI/1; BRI/2; .NET CLR 3.0.30729; FunWebProducts
Linux; Android 4.2.2; Nexus 4 Build/JDQ39
Macintosh; Intel Mac OS X 10.8; rv:23.0
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MALC; .NET4.0C; InfoPath.2; MS-RTC LM 8
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; msn OptimizedIE8;ENUS
Linux; Android 4.1.2; XT907 Build/9.8.1Q-78
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbORJ/5.14.1.20007
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; FunWebProducts
Linux; U; Android 2.3.6; en-us; SCH-I510 4G Build/FP8
Linux; U; Android 4.0.3; en-us; HTC_PH39100/3.26.502.56 Build/IML74K
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; .NET4.0C
compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH
Linux; U; Android 4.1.1; en-us; HTC6435LVW 4G Build/JRO03C
compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 1.0.3705; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET4.0C
X11; CrOS armv7l 4100.68.0
Linux; Android 4.1.1; GT-P3113 Build/JRO03C
X11; Ubuntu; Linux i686; rv:11.0
Windows NT 6.0; WOW64; rv:22.0
X11; CrOS i686 4100.68.0
compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; ARM; Touch; WPDesktop
iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us
compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MAM3
iPod; CPU iPhone OS 6_0 like Mac OS X
compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GIL 3; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; GIL3
Linux; U; Android 2.3.5; en-us; DROID X2 Build/4.5.1A-DTN-200-18
compatible; MSIE 10.0; AOL 9.7; AOLBuild 4343.1028; Windows NT 6.1; WOW64; Trident/6.0; MALC
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.2; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
iPod; CPU iPhone OS 5_1_1 like Mac OS X
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SearchToolbar 1.2; BTRS103198; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Qwest 1.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; McAfee
iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us
Linux; Android 4.2.2; Matricom G-Box Midnight MX2 Build/JDQ39
Linux; Android 4.2.2; en-us; SAMSUNG-SGH-I337 Build/JDQ39
compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; Tablet PC 2.0; .NET4.0C; .NET4.0E
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0
iPod; CPU iPhone OS 5_1 like Mac OS X
Linux; Android 4.2.2; en-us; SAMSUNG SCH-I545 Build/JDQ39
Windows NT 5.1; rv:17.0
iPad; U; CPU OS 4_3_2 like Mac OS X; en-us
Linux; U; Android 4.1.2; en-gb; GT-I9300 Build/JZO54K
Android; Mobile; rv:22.0
Linux; U; Android 4.2.2; en-us; HTC One Build/JDQ39
Linux; Android 4.2.2; SCH-I545 Build/JDQ39
compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Avant Browser
Linux; U; Android 4.1.2; en-us; SGH-T889 Build/JZO54K
BlackBerry; U; BlackBerry 9670; en-US
compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125127; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET4.0C
compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch; MDDCJS
Linux; Android 4.0.4; BNTV400 Build/IMM76L
Linux; U; Android 2.3.5; en-us; Desire HD Build/GRJ90
compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0
compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0; msn OptimizedIE8;ENUS
iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us
iPhone; CPU iPhone OS 5_1 like Mac OS X
Linux; Android 4.0.4; SHV-E160S Build/IMM76D
Windows NT 6.0; WOW64
Macintosh; U; Intel Mac OS X 10_4_11; en
BB10; Kbd
Linux; U; Android 2.3.6; en-us; DROID RAZR 4G Build/6.5.1-167_DHD-14_M3-8
compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS
Linux; U; Android 4.1.2; en-us; SGH-T999 Build/JZO54K
compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E
Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91
Linux; Android 4.1.2; XT901 Build/9.8.2Q-50_SLS-13

Ayn · ‎07-30-2013

Uh, I don't see you using the suggested solutions at all in your search?

naveenurs · ‎07-27-2013

I am not able to post it in the comments for some reason. So, I updated the post. I have also added the sample output.

lguinn2 · ‎07-26-2013

Can you post the exact search string that you are now using? Thanks!

naveenurs · ‎07-26-2013

match has not helped.

OS uatoken0 uatoken1 uatoken2 uatoken3 uatoken4 uatoken5
Linux Linux U Android 2.2.1 en-us SAMSUNG-SGH-I997 Build/FROYO

As you can see, OS is still showing as Linux and not Android.

naveenurs · ‎07-26-2013

Thanks to both of you! Appreciate your help.

lguinn2 · ‎07-26-2013

I second @Ayn's suggestion of the user agent parser.

Ayn · ‎07-26-2013

That's not a problem with case itself, that's something that depends on what you feed case with. In your case, you'll want to use match which performs regular expression matching against whatever field you want to use.

case(match(uatoken1,"^Android") ...

As a sidenote, if you're going into user agent parsing territory, godspeed. You might want to consider using the excellent user agent parser app that's available on splunkbase: http://splunk-base.splunk.com/apps/48017/ta-uas_parser

naveenurs · ‎07-26-2013

Thanks for responding.

Using case has a problem. I will not be able to use wildcard character for Android to select all android versions. Essentially, my query should be if uatoken1=="Android*"

lguinn2 · ‎07-26-2013

This should do it..

| eval OS = case(uatoken0=="Linux" AND uatoken1=="U", uatoken2,
                 uatoken0=="Linux" AND uatoken1=="Android 4.2.2", uatoken1,
                 1==1, uatoken0)

And as @Ayn mentions above, you can use the match() function as well...

| eval OS = case(match(uatoken0,"(?i)Linux") AND uatoken1=="U", uatoken2,
                 match(uatoken0,"(?i)Linux") AND match(uatoken1,"(?i)Android"), uatoken1,
                 1==1, uatoken0)

Note that my regexes above are set to be case-insensitive. The matches are simply looking for that string at any position within the variable's text.

Note that the case function conditions are evaluated in order; the first condition that evaluates to true is accepted and the remainder are ignored. So order of the clauses is important.

How to perform nested if conditions in Splunk

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes