https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358300#M105927 <P>I want to run a search but can't figure out what's the difference when I make changes to it using the 'where' clause</P> <P>What's the difference between</P> <PRE><CODE>...base search extension!=NULL|where Module="previewservice" | chart count by Module, FinalState </CODE></PRE> <P>and </P> <PRE><CODE> ...base search |where Module="previewservice" AND extension!=NULL| chart count by Module, FinalState </CODE></PRE> <P>The first one produces an output while the second one does not <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Tue, 26 Sep 2017 12:33:43 GMT pranaynanda 2017-09-26T12:33:43Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358300#M105927 <P>I want to run a search but can't figure out what's the difference when I make changes to it using the 'where' clause</P> <P>What's the difference between</P> <PRE><CODE>...base search extension!=NULL|where Module="previewservice" | chart count by Module, FinalState </CODE></PRE> <P>and </P> <PRE><CODE> ...base search |where Module="previewservice" AND extension!=NULL| chart count by Module, FinalState </CODE></PRE> <P>The first one produces an output while the second one does not <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Tue, 26 Sep 2017 12:33:43 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358300#M105927 pranaynanda 2017-09-26T12:33:43Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358301#M105928 <P>Your first search string is the more efficient of the two, as it's best to exclude as early as possible. However, to make the second example work, replace<BR /> <CODE>And extension!=NULL</CODE><BR /> with<BR /> <CODE>isnotnull(extension)</CODE></P> <P>This is because <CODE>where</CODE> uses <CODE>eval</CODE> expressions, one of which is the function <CODE>isnotnull</CODE>. In your second example <CODE>extension!=NULL</CODE> is actually interpreted as <CODE>&lt;fieldA&gt; is not equal to &lt;fieldB&gt;</CODE> (where <CODE>&lt;fieldB&gt;</CODE> is a non-existent field called NULL).<BR /> For reference, see the documentation on Informational Functions (<A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/InformationalFunctions">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/InformationalFunctions</A>)</P> Tue, 26 Sep 2017 12:48:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358301#M105928 RPiccone 2017-09-26T12:48:02Z https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358302#M105929 <P>Salut! You Sir are a true genius!</P> Tue, 26 Sep 2017 13:06:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-isn-t-my-where-clause-working-in-this-similar-search/m-p/358302#M105929 pranaynanda 2017-09-26T13:06:31Z