How to check if multiple conditions are true?

iomega311 · ‎03-17-2022

I am looking for a way to check for multiple conditions to match, and if they are met, output a specific word... such as "true".

Example:
my_cool_search_here | eval condition_met=if(user=* AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true")

I don't know if that makes sense... but essentially I want to check whether "user" has ANY value, and then if the fields "DoW", "HoD", and "hostname" have specific values out of a possible range.... and if all that matches, then set the value of "condition_met" to "true".

I know I can do this for a single field/value, but how would I accomplish this for multiple different conditions?

Thanks!

ITWhisperer · ‎03-18-2022

my_cool_search_here | eval condition_met=if(isnotnull(user) AND DoW IN (Mon,Wed) AND HoD IN (01,02,03) AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true", null())

SanjayReddy · ‎03-17-2022

Hi @iomega311

as you only want true results,
please use Case condition and ,

I have updated the query with CASE condition and filed values in qutes

Query 1

my_cool_search_here | eval condition_met=case(user="*" AND (DoW="Mon" OR DoW="Wed") AND (HoD="01" OR HoD="02" OR HoD="03") AND (hostname="hostname.hostdomain" OR hostname="hostname.hostdomain"), "true")

OR
Query 2

my_cool_search_here | eval condition_met=case(user="*" AND DoW IN ("Mon","Wed") AND HoD IN ("01","02","03") AND hostname IN ("hostname.hostdomain","hostname.hostdomain"), "true")

How to check if multiple conditions are true?

eval

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?