Re: how to specify or condition in if statement

thambisetty · ‎04-28-2014

Hi I want to write the search like this..

if(file_path=("C:" OR "D:" OR "E:" OR "c:" OR "d:" OR "e:"),"Local",file_path=("\\"),"Network",file_path=(".com" OR ".org"),"Web",USB)

Plz help me

————————————
If this helps, give a like below.

rsennett_splunk · ‎04-28-2014

You're looking for something like this, I believe:

eval path_type = if(match(file_path,"^(C|D|E|c|d|e)+:.+"),"Local",if(match(file_path,"^\\\\"),"Network",if(match(file_path,"\.(com|org)"),"Web",USB)))| table file_path path_type

The syntax is:
eval newfield = if(match(oldfield,"regex to match"),then,else)
and you put another if(match... in place of the "ELSE" value until you are done and finish with "USB"

It's late so my regex might be off.... but you get the idea:

http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/CommonEvalFunctions
Or if you want it "inline": http://docs.splunk.com/Documentation/Splunk/6.0.3/Search/Usestatswithevalexpressionsandfunctions

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

martin_mueller · ‎04-28-2014

To avoid walls of closing parentheses you can use case() that takes any number of pairs of condition and value and returns the first value where the condition holds:

... | eval field = case(match(oldfield, "regex"), "foo", match(oldfield, "another regex"), "bar", ...)

how to specify or condition in if statement

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...