https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534415#M151018 <P>field name is case-sensitive, so&nbsp;<SPAN>senderIP is not same with&nbsp;SenderIP.<BR /><BR /></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=source |stats max(_time) as _time, values(from) as Sender, values(rcpt) as Recipients, values(subject) as Subject, values(hops_ip) as SenderIP　by ref |where like(SenderIP, "10.%") | rename ref as Reference</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Also, there are too many minor mistakes.&nbsp;</SPAN></P> Wed, 30 Dec 2020 01:08:54 GMT to4kawa 2020-12-30T01:08:54Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534411#M151017 <P>Good day everyone,</P><P>Ran into following problem,</P><P>The query<BR />index=source | eval time=strftime(_time, "%+)</P><P>|stats</P><P>max(time)</P><P>values(from) as Sender,</P><P>values(rcpt) as Recipients,</P><P>value(subject) as Subject</P><P>values(hops_ip) as SenderIP</P><P>values (ref) as Reference</P><P>by ref |where like(senderIP, "10.%)</P><P>&nbsp;</P><P>Not sure where went wrong, senderIP which is not 10.% is still showing. I did noticed that the ref value appears multiple times for different transaction, that could be the cause? Happy new year in advance!</P> Wed, 30 Dec 2020 00:55:16 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534411#M151017 thailam 2020-12-30T00:55:16Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534415#M151018 <P>field name is case-sensitive, so&nbsp;<SPAN>senderIP is not same with&nbsp;SenderIP.<BR /><BR /></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=source |stats max(_time) as _time, values(from) as Sender, values(rcpt) as Recipients, values(subject) as Subject, values(hops_ip) as SenderIP　by ref |where like(SenderIP, "10.%") | rename ref as Reference</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Also, there are too many minor mistakes.&nbsp;</SPAN></P> Wed, 30 Dec 2020 01:08:54 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534415#M151018 to4kawa 2020-12-30T01:08:54Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534423#M151019 <P>I have tried the following, however the IP which is not "10%" still showing. Thanks sincerely!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thailam_4-1609298479012.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12391iC8A39E6BCDE5AFFB/image-size/medium?v=v2&amp;px=400" role="button" title="thailam_4-1609298479012.png" alt="thailam_4-1609298479012.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thailam_3-1609298303390.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12390i8425FAFDC45736B8/image-size/medium?v=v2&amp;px=400" role="button" title="thailam_3-1609298303390.png" alt="thailam_3-1609298303390.png" /></span></P><P>&nbsp;</P> Wed, 30 Dec 2020 03:22:34 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534423#M151019 thailam 2020-12-30T03:22:34Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534433#M151022 <P>your SenderIP is multivalue. it can't work with <STRONG>where like()<BR /><BR /></STRONG></P><P>If you only know the logs, you should make single value from SenderIP.&nbsp;</P> Wed, 30 Dec 2020 05:04:58 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534433#M151022 to4kawa 2020-12-30T05:04:58Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534435#M151024 <P>The log has for example "ref" in the log sometime may show different IP. Is anyway i can achieve something similar and to filter away unwanted IP? Thanks!</P> Wed, 30 Dec 2020 05:17:49 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534435#M151024 thailam 2020-12-30T05:17:49Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534440#M151025 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230057">@thailam</a>,</P><P>You should better filter hops_ip before stats like below;</P><LI-CODE lang="markup">index=source hops_ip="10.0.0.0/8" | stats max(_time) as _time values(from) as Sender values(rcpt) as Recipients values(subject) as Subject values(hops_ip) as SenderIP values(ref) as Reference by ref </LI-CODE> Wed, 30 Dec 2020 07:23:55 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534440#M151025 scelikok 2020-12-30T07:23:55Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534442#M151026 <P>Hi Scelikok,</P><P>&nbsp;</P><P>Just tried that, it works however the sender and recipients is now empty <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thailam_0-1609313651881.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12396i94FD50CE90FD924E/image-size/medium?v=v2&amp;px=400" role="button" title="thailam_0-1609313651881.png" alt="thailam_0-1609313651881.png" /></span></P><P>&nbsp;</P> Wed, 30 Dec 2020 07:35:00 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534442#M151026 thailam 2020-12-30T07:35:00Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534446#M151028 <P>Only reason maybe "from" and "rcpt" field names are wrong. Can you please check is there is something wrong about case or typo. Do you see these fields on "Interesting Fields" list?&nbsp;</P> Wed, 30 Dec 2020 08:21:10 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534446#M151028 scelikok 2020-12-30T08:21:10Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534454#M151030 <P>Hi Scelikok</P><P>&nbsp;</P><P>Yes that's correct, its not showing right after i've moved the where clause to the top.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thailam_0-1609318381887.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12397i431EBCE4929BEBCA/image-size/medium?v=v2&amp;px=400" role="button" title="thailam_0-1609318381887.png" alt="thailam_0-1609318381887.png" /></span></P><P>&nbsp;</P> Wed, 30 Dec 2020 08:55:15 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534454#M151030 thailam 2020-12-30T08:55:15Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534647#M151083 <P>I think this is correct, where can only filter a single value. Have tried, whenever there is only single value it correctly removes it.</P> Mon, 04 Jan 2021 05:36:07 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534647#M151083 thailam 2021-01-04T05:36:07Z https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534649#M151085 <P>Due to the log "ref" value may sometime appears multiple times, is there a way i am able to filter by "ref" together with "hdr_mid"?</P> Mon, 04 Jan 2021 05:38:05 GMT https://community.splunk.com/t5/Splunk-Search/stats-with-where-clause-not-filtering/m-p/534649#M151085 thailam 2021-01-04T05:38:05Z