topic Re: Please help me out to filter or restrict with exact value as mentioned below? in Getting Data In

Please help me out to filter or restrict with exact value as mentioned below?

Shan — Tue, 29 Sep 2020 20:43:24 GMT

Hi All,

Need your help on finding a solution for below problem..

This is how my data appear in Index.

I want to filter only data having value like "SPLUNK" or "SPLUNK,HTSV" or "SPLUNK,CHECK" etc from all the following labels (labels,label1,label2,label3,label4). I want to exclude following data "SPLUNK-AUTOCHECK" , "SPLUNK-Mining", "DATA,SPLUNK-TRANSACTION",SPLUNK_TRANSACTION","SPLUNK-AUTO","SPLUNK_AUTO". I want to remove all the value which start with "SPLUNK-************" , "SPLUNK_************"
I was trying to filter using the below query . But I'm unable to achieve it.

index=****  labels="SPLUNK" OR label1="SPLUNK" OR  label2="SPLUNK" OR  label4="SPLUNK"

When i use above query. I'm getting following values "SPLUNK-AUTO","DATA,SPLUNK-TRANSACTION","SPLUNK","SPLUNK,HTSV","SPLUNK-AUTOCHECK" . But i need only values like "SPLUNK".

I can able to achieve it with below mentioned query. But still i want to achieve it without NOT condition.

index=****  labels="SPLUNK" OR label1="SPLUNK" OR  label2="SPLUNK" OR  label4="SPLUNK" NOT "SPLUNK-"

Thanks in advance...

Re: Please help me out to filter or restrict with exact value as mentioned below?

niketn — Sun, 05 Aug 2018 09:52:02 GMT

@shankarananth do your events have labels, label1, label2 and label4 available in each event?

In your question you have mentioned that you need values of "SPLUNK" or "SPLUNK,HTSV" or "SPLUNK,CHECK" etc but in your filter you have just used "SPLUNK". What isetc`? Are there fixed number of combinations or patterns?

In you question you have mentioned filter to be applied on all label fields i.e. labels,label1,label2,label3,label4 but in your query label3 is not present. Is it not required for filtering?

Following is a run anywhere search which generates data as per your question:

| makeresults 
| eval labels="Project,SPLUNK-TRANSACTION", label1="SPLUNK-AUTO", label2="SPLUNK-AUTOCHECK",label3="SPLUNK-AUTOCHECK",label4="SPLUNK-Minig" 
| append 
    [| makeresults 
    | eval labels="SPLUNK-AUTO", label1="SPLUNK", label2="SPLUNK-Mining",label3="SPLUNK-Evaluate",label4="SPLUNK"] 
| append 
    [| makeresults 
    | eval labels="DATA,SPLUNK-TRANSACTION", label1="SPLUNK-AUTO", label2="SPLUNK-TRANSACTION,Fill",label3="SPLUNK",label4="SPLUNK,HTSV"] 
| append 
    [| makeresults 
    | eval labels="SPLUNK,HTSV", label1="SPLUNK,HTSV", label2="SPLUNK,HTSV",label3="SPLUNK,Search",label4="SPLUNK,Data mining"] 
| append 
    [| makeresults 
    | eval labels="KT,SPLUNK-HTSV", label1="SPLUNK_TRANSACTION", label2="SPLUNK",label3="SPLUNK",label4="SPLUNK,Super Store"] 
| append 
    [| makeresults 
    | eval labels="KT,SPLUNK-HTSV,htsv", label1="SPLUNK,CHECK", label2="SPLUNK,CHECK",label3="SPLUNK,CHECK",label4="SPLUNK"] 
| append 
    [| makeresults 
    | eval labels="SPLUNK", label2="SPLUNK,HTSV",label3="SPLUNK,CHECK",label4="SPLUNK_AUTO"] 
    | table labels label*

Based on your question and sample data following check will give all rows that are present in your data i.e. with filter "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" applied on labels, label1, label2 and label4 fields:

| search labels IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label1 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label2 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" ) OR label4 IN ( "SPLUNK","SPLUNK,HTSV","SPLUNK,CHECK" )

Following is a query similar to your question with only SPLUNK filter applied on labels, label1, label2 and label4 fields:

 | search labels="SPLUNK" OR label1="SPLUNK" OR label2="SPLUNK" OR label4="SPLUNK"

It returns 4 of the 7 rows provided in your data. Which are the rows you think are listed incorrectly? Do you need some specific columns to be removed instead?

Please add more clarification.

Re: Please help me out to filter or restrict with exact value as mentioned below?

Shan — Sun, 05 Aug 2018 16:30:21 GMT

@niketnilay ,

Labels,label1, label2,label3, label4 won't be available in all events. One event may contain atleast one label or may be 2, 3 labels. Max one event can contain minimum 1 labels and maximum 5 labels. I need to fetch data only having value as "SPLUNK". Etc mean there are n number of combination value with "SPLUNK" . I have provided little sample data here ..

Re: Please help me out to filter or restrict with exact value as mentioned below?

Shan — Sun, 05 Aug 2018 16:31:26 GMT

@niketnilay ,

Re: Please help me out to filter or restrict with exact value as mentioned below?

Shan — Mon, 06 Aug 2018 11:59:22 GMT

@niketnilay ,

If you have some update. Please let me know ..

Re: Please help me out to filter or restrict with exact value as mentioned below?

Shan — Thu, 16 Aug 2018 09:32:19 GMT

Any update on above query ?