https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426025#M170734 <P>Very elegant solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Jun 2019 06:43:45 GMT FrankVl 2019-06-17T06:43:45Z https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426022#M170731 <P>Hi, If anyone can help.<BR /> Below is my table which represents volume (count) Country wise. But I want to apply filter like - <BR /> If only country_code - US and count &gt; 10 or country_code - PH and count &gt; 30 or country_code - NR and count &gt; 10 , <BR /> then only these country_codes should be visible and for rest all with same value should be visible.</P> <P>City_Code Count<BR /> US 10<BR /> FN 5<BR /> IN 50<BR /> PH 30<BR /> MN 4<BR /> KL 8<BR /> NR 11</P> <P>So far I have used this query :</P> <P>index="countries" | bucket span=10m _time<BR /> | stats count by country_code</P> Wed, 30 Sep 2020 00:55:56 GMT https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426022#M170731 sahil237888 2020-09-30T00:55:56Z https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426023#M170732 <P>Like this:</P> <PRE><CODE>index="countries" | bucket span=10m _time | stats count by country_code | search (country_code="US" count &gt; 10) OR (country_code="PH" count &gt; 30) OR (country_code="NR" count &gt; 10) OR NOT country_code IN (US,PH,NR) </CODE></PRE> <P>Note: the <CODE>IN</CODE> operator requires Splunk 6.6 or newer.</P> Fri, 14 Jun 2019 13:31:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426023#M170732 FrankVl 2019-06-14T13:31:26Z https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426024#M170733 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/92551">@sahil237888</a> ,</P> <P>I would use a lookup to do this, setting a threshold list for the countries. </P> <P>Example lookup CSV: <BR /> <PRE><BR /> City_Code,Threshold<BR /> US,10<BR /> PH,30<BR /> NR,10<BR /> </PRE></P> <P>Then you could do the following search:<BR /> <PRE><BR /> ... [ you search ] ...<BR /> | table City_Code Count<BR /> | lookup threshold_lookup City_Code OUTPUT Threshold<BR /> | fillnull Threshold<BR /> | where Count &gt; Threshold<BR /> </PRE></P> <P>Here is an example of how it would look using dummy events and data:<BR /> <IMG src="https://community.splunk.com/storage/temp/273911-screenshot-from-2019-06-14-09-41-38.png" alt="alt text" /></P> Wed, 30 Sep 2020 00:56:00 GMT https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426024#M170733 jnudell_2 2020-09-30T00:56:00Z https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426025#M170734 <P>Very elegant solution <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 17 Jun 2019 06:43:45 GMT https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426025#M170734 FrankVl 2019-06-17T06:43:45Z https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426026#M170735 <P>How can I use * operator with search command or where command - if the country_code is different?</P> Mon, 17 Jun 2019 07:49:02 GMT https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426026#M170735 sahil237888 2019-06-17T07:49:02Z https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426027#M170736 <P>I don't really understand your question, can you clarify a bit what you mean?</P> Mon, 17 Jun 2019 07:52:22 GMT https://community.splunk.com/t5/Splunk-Search/Need-where-clause-query-to-be-implemented-on-specific-value/m-p/426027#M170736 FrankVl 2019-06-17T07:52:22Z