topic Re: Adding filter to query using IN in Splunk Search

Adding filter to query using IN

shrogers — Thu, 03 Jun 2021 14:06:41 GMT

Can I please get some assistance on the below?

I'm trying to add a filter TRAN_CLASS!=6 to the below query. When I add the filter to after the index, Total_Pages2 shows a zero.

index=dev sourcetype IN (ibm:was:performanceLog, ibm:was:cp:performanceLog, ar:mdm) source IN ("/data/sharedDir/wp/*/logs/ARWP*Srv*/performance.log", "/data/sharedDir/cp/*/logs/ARCP*Srv*/sspperformance.log", "/data/infamdm_dev/hub/server/logs/EmpiW**bleep**Stats.log") | fields TRAN_TYPE, respTime | stats count(TRAN_TYPE) as Total_Pages1, count(respTime) as "Total_Pages2" | addtotals fieldname="Total Pages" |fields "Total Pages"

Any assistance provided is appreciated.

Re: Adding filter to query using IN

richgalloway — Thu, 03 Jun 2021 14:24:19 GMT

Please share the exact query using TRAN_CLASS!=6 so we can see how you're using it.

Have checked that events with TRAN_CLASS values other than 6 have a respTime field?

Re: Adding filter to query using IN

shrogers — Thu, 03 Jun 2021 14:41:05 GMT

Thank you for the assistance.

Please see the query with TRAN_CLASS!=6. TRAN_CLASS is only available in (ibm:was:performanceLog, ibm:was:cp:performanceLog)

index=dev TRAN_CLASS!=6 sourcetype IN (ibm:was:performanceLog, ibm:was:cp:performanceLog, ar:mdm) source IN ("/data/sharedDir/wp/*/logs/ARWP*Srv*/performance.log", "/data/sharedDir/cp/*/logs/ARCP*Srv*/sspperformance.log", "/data/infamdm_dev/hub/server/logs/EmpiW**bleep**Stats.log") | fields TRAN_TYPE, respTime | stats count(TRAN_TYPE) as Total_Pages1, count(respTime) as "Total_Pages2" | addtotals fieldname="Total Pages" |fields "Total Pages"

Re: Adding filter to query using IN

richgalloway — Fri, 04 Jun 2021 12:39:19 GMT

Try this alternative

index=dev NOT TRAN_CLASS=6 sourcetype IN (ibm:was:performanceLog, ibm:was:cp:performanceLog, ar:mdm) source IN ("/data/sharedDir/wp/*/logs/ARWP*Srv*/performance.log", "/data/sharedDir/cp/*/logs/ARCP*Srv*/sspperformance.log", "/data/infamdm_dev/hub/server/logs/EmpiW**bleep**Stats.log") | fields TRAN_TYPE, respTime | stats count(TRAN_TYPE) as Total_Pages1, count(respTime) as "Total_Pages2" | addtotals fieldname="Total Pages" |fields "Total Pages"

Re: Adding filter to query using IN

shrogers — Fri, 04 Jun 2021 15:18:18 GMT

Thank you for your assistance. That query works.

My only concern with using NOT instead of "!=" is that NOT will bring back all rows even if TRAN_CLASS=' '. Plus TRAN_CLASS is not a field in "ar:mdm" and just using "!=" will affect respTime.