nested condition in splunk

Question

I am looking for below result.

• india without scanner IP blocked

• india without scanner IP nonblocked

• india with scanner IP blocked

• india with scanner Ip non blocked where ip1,ip2=>Scannner IP

I have tried the below one ..but it's showing only "india without scanner IP blocked" count

| eval BlockedStatus = case ( src !="ip1" OR src !="ip2.*" OR blocked=1,"india without scanner IP blocked", src !="ip1" OR src !="ip2*" OR  blocked=0 ,"india without scanner IP nonblocked" ,src ="ip1" OR src ="ip2" OR blocked=1,"india with scanner IP blocked", src ="ip1" OR src ="ip2" OR blocked=0 ," india with scanner Ip non blocked ")
| stats count by eventtype,BlockedStatus 
| rename eventtype as "Local Market",count as "Total Critical Events"

Answer 1

The logic in the case statement is faulty. Just about everything will match src!=ip1 OR src!=ip2 OR blocked=1. I think some of the ORs should be ANDs and that some parentheses are needed.

Maybe this is closer to what is intended?

eval BlockedStatus = case ( src !="ip1" AND src !="ip2" AND 
  blocked=1,"india without scanner IP blocked", src !="ip1" AND src !="ip2" AND 
  blocked=0 ,"india without scanner IP nonblocked" ,(src ="ip1" OR src ="ip2")
  AND blocked=1,"india with scanner IP blocked", (src ="ip1" OR src ="ip2") AND
  blocked=0 ," india with scanner Ip non blocked ", 1==1, "Error")
| stats count by eventtype,BlockedStatus 
| rename eventtype as "Local Market",count as "Total Critical Events"