Documenting Problems That Were Difficult To Find The Answer To

If With Multiple Conditions in Splunk Eval

A common task one desires to do with the if() command in Splunk is to perform multiple tests. Unfortunately this is very poorly documented on the Splunk website.

You can use the AND and OR keywords (as opposed to the && or || you might have expected).


index=os sourcetype=ps host=myhost01
  |rex field=CPUTIME "^((?\d+)-)?(?\d\d):(?\d\d):(?\d\d)$"
  |eval cpusec=if( isnum(c_days), c_days, 0)*24*3600 + (c_hours*3600) + (c_mins*60) + c_secs
  |eval aa_inrange=if( (cpusec>1000) AND (cpusec<2000), 1, 0 )
  |search aa_inrange=1

