https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478427#M134178 <P>Hello richgalloway,</P> <P>thanks for your answer. </P> <P>if i remove 350 in the where clause, i will have this : <BR /> 128 <STRONG>261313851</STRONG> screen<BR /> 307 538601320 aquarium</P> <P><STRONG>but</STRONG> this <STRONG>261313851</STRONG> invoice is not correct for me because it's contains too id = 350 so i want just : <BR /> 307 538601320 aquarium<BR /> .......</P> <P>How can i do please ? </P> <P>Thank you very much for your help and your advice. </P> Tue, 21 Apr 2020 07:32:22 GMT vita86 2020-04-21T07:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478425#M134176 <P>Hello, </P> <P>I'm training on splunk, I need help.</P> <P>I have an invoice list, extracted via this query : </P> <PRE><CODE>sourcetype="*_invoice" | where in (id,350,128,307) | table id invoice ProductType </CODE></PRE> <P>Result : <BR /> <STRONG>350 261313851 phone <BR /> 128 261313851 screen<BR /> 307 538601320 aquarium</STRONG> <BR /> .....</P> <P>But I have to exclude invoice number <STRONG>261313851</STRONG> because it contains id = 350.</P> <P>How can I do please ? foreach and condition if ? </P> <PRE><CODE>| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] | where status_invoice= "ok"? </CODE></PRE> <P>Thank you in advance for your help. </P> <P>Regards, <BR /> vita86</P> Mon, 20 Apr 2020 20:00:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478425#M134176 vita86 2020-04-20T20:00:47Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478426#M134177 <P>If you take 350 out of the <CODE>where</CODE> clause then those IDs will not be included.</P> <P>The <CODE>foreach</CODE> command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.</P> Mon, 20 Apr 2020 20:25:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478426#M134177 richgalloway 2020-04-20T20:25:15Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478427#M134178 <P>Hello richgalloway,</P> <P>thanks for your answer. </P> <P>if i remove 350 in the where clause, i will have this : <BR /> 128 <STRONG>261313851</STRONG> screen<BR /> 307 538601320 aquarium</P> <P><STRONG>but</STRONG> this <STRONG>261313851</STRONG> invoice is not correct for me because it's contains too id = 350 so i want just : <BR /> 307 538601320 aquarium<BR /> .......</P> <P>How can i do please ? </P> <P>Thank you very much for your help and your advice. </P> Tue, 21 Apr 2020 07:32:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478427#M134178 vita86 2020-04-21T07:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478428#M134179 <P>Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.</P> <PRE><CODE>sourcetype="*_invoice" (id=350 OR id=128 OR id=307) | stats values(*) as * by invoice `comment("mvfind returns NULL if '350' is not found")` | where isnull(mvfind(id, "350")) | mvexpand id | table id invoice ProductType </CODE></PRE> Tue, 21 Apr 2020 13:13:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478428#M134179 richgalloway 2020-04-21T13:13:52Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478429#M134180 <P>Thank you very much for your help and your explanation.</P> Wed, 22 Apr 2020 14:12:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478429#M134180 vita86 2020-04-22T14:12:33Z https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478430#M134181 <P>If your problem is resolved then please accept the answer to help future readers.</P> Thu, 23 Apr 2020 12:05:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-exclude-invoices-with-ID-350/m-p/478430#M134181 richgalloway 2020-04-23T12:05:54Z