https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449700#M10508 <P>The CSV has over 100k entries. When I <STRONG>timechart</STRONG> this search I see about 6800 results. I receive values for all 3 months I searched. However, when I table the same search and I click the GUI sort on TIME I am only seeing Jan and Feb. The results from the search shows the same number 6800. Is there some limitation to populating tables I am unaware of when dealing with CSV's? or Is there possibly something wrong with my WHERE statement?</P> <P>| inputlookup foo.csv<BR /> | eval output=toString(Date) + " " + (CreatedHour)<BR /> | eval _time=strptime(output,"%b %d,%Y %I:%M%p")<BR /> | eval TIME=strftime(_time, "%b-%d-%Y %I:%M %p")<BR /> | dedup IncidentId<BR /> | where like(TIME, "Jan%") OR like(TIME, "Feb%") OR like(TIME, "Mar%") <BR /> | where like(Queue, "In-Country%") <BR /> | sort -_time<BR /> | table Queue IncidentId TIME</P> Tue, 29 Sep 2020 20:32:16 GMT nqjpm 2020-09-29T20:32:16Z https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449700#M10508 <P>The CSV has over 100k entries. When I <STRONG>timechart</STRONG> this search I see about 6800 results. I receive values for all 3 months I searched. However, when I table the same search and I click the GUI sort on TIME I am only seeing Jan and Feb. The results from the search shows the same number 6800. Is there some limitation to populating tables I am unaware of when dealing with CSV's? or Is there possibly something wrong with my WHERE statement?</P> <P>| inputlookup foo.csv<BR /> | eval output=toString(Date) + " " + (CreatedHour)<BR /> | eval _time=strptime(output,"%b %d,%Y %I:%M%p")<BR /> | eval TIME=strftime(_time, "%b-%d-%Y %I:%M %p")<BR /> | dedup IncidentId<BR /> | where like(TIME, "Jan%") OR like(TIME, "Feb%") OR like(TIME, "Mar%") <BR /> | where like(Queue, "In-Country%") <BR /> | sort -_time<BR /> | table Queue IncidentId TIME</P> Tue, 29 Sep 2020 20:32:16 GMT https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449700#M10508 nqjpm 2020-09-29T20:32:16Z https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449701#M10509 <P>1) The <CODE>dedup</CODE> command is throwing away some results.</P> <P>2) It makes no sense to sort on "TIME" since your date format is not sortable. </P> <P>3) Sort has a limit on how many records it will return. Use <CODE>| sort 0</CODE> to eliminate the limit.</P> <P>4) Can an <CODE>IncidentId</CODE> be in more than one <CODE>Queue</CODE>? If so, did you want only the final one? </P> Fri, 20 Jul 2018 22:23:26 GMT https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449701#M10509 DalJeanis 2018-07-20T22:23:26Z https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449702#M10510 <P>1) The dedup command is throwing away some results.<BR /> <EM>Realize now this is not the appropriate location to use this. Thanks good catch.</EM></P> <P>2) It makes no sense to sort on "TIME" since your date format is not sortable. <BR /> <EM>Changed to sort on _time</EM></P> <P>3) Sort has a limit on how many records it will return. Use | sort 0 to eliminate the limit.<BR /> When I tried <CODE>| sort 0</CODE> it errors out to "You must specify fields to sort."</P> <P>4) Can an IncidentId be in more than one Queue? If so, did you want only the final one? <BR /> <EM>Yes it can be in more than one Queue and I am seeking the final one as you surmised.</EM> </P> Tue, 24 Jul 2018 14:05:36 GMT https://community.splunk.com/t5/Security/Multiple-quot-where-like-quot-on-a-CSV-file/m-p/449702#M10510 nqjpm 2018-07-24T14:05:36Z