topic Re: command "where" not working in Splunk Search

command "where" not working

gitingua — Wed, 27 Oct 2021 14:48:33 GMT

the "where" command checks only one condition

doesn't work like that

my search:

. . . .

| where NOT (id_old = id OR user = username)

but there is a separate input, then everything works correctly.

help plz

Re: command "where" not working

vikramyadav — Wed, 27 Oct 2021 15:05:10 GMT

Hi @gitingua ,

I don't think so like this way where command gonna work. If you wanted to remove this (id_old = id OR user = username) field value pair then simply filter in your search.

eg:- index=test NOT (id_old = id OR user = username)

--------------------------------------

If this reply helps you, an upvote would be appreciated.

Namaste 😊

Re: command "where" not working

isoutamo — Wed, 27 Oct 2021 15:19:38 GMT

you could use OR AND etc. with where as you can see on https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Where

Could it be that there is confusion with field name and constant? Search and where works different way with those. Please see docs and maybe this helps https://community.splunk.com/t5/All-Apps-and-Add-ons/Difference-between-WHERE-and-SEARCH-commands/m-p/199047

There should be quite good explanation how those are differing, but I cannot find it now with google.

r. Ismo

Re: command "where" not working

gitingua — Wed, 27 Oct 2021 15:22:43 GMT

@vikramyadav These parameters are used as a check.

file.csv

user	id_old	info2
john	abcd	qwer

index = IndexName

username	id	info2
Aram	ghjk	qweiq

Condition, if the user is not found in the file, then write it to the file

the check is that if the id in index is not equal to id_old in file.csv, then it is added to the file with different values. or an event arrived in the index with a new user and after checking it is not in file.csv, then it is added to the file

example:

index="IndexName"
| table username, id, info2
| lookup file.csv user as username output id_old user
| where NOT (id_old = id or username = user) <- This line checks only one condition. if I put only one condition, it works correctly. And I need if one condition is true then check the following

@vikramyadav Help pls

Re: command "where" not working

gitingua — Wed, 27 Oct 2021 15:37:23 GMT

@vikramyadav

| where id_old != id or username != user

that doesn't work either

Re: command "where" not working

isoutamo — Wed, 27 Oct 2021 15:41:47 GMT

You should use OR not or.

Re: command "where" not working

gitingua — Wed, 27 Oct 2021 16:00:39 GMT

tried it, no result

Re: command "where" not working

isoutamo — Wed, 27 Oct 2021 16:07:37 GMT

And those fields have values, not contains NULL? If needed add like (isnotnull(field1) AND isnotnull(field2)) AND field1 != field2

Re: command "where" not working

vikramyadav — Wed, 27 Oct 2021 16:44:26 GMT

Hi @gitingua ,

try this

index="IndexName"
| table username, id, info2
| lookup file.csv user as username output id_old user
| eval newuser = (id_old ,username)
| where NOT newuser

Also, can you let me know exactly what output you are looking for?

--------------------------------------

If this reply helps you, an upvote would be appreciated.

Namaste 😊

Re: command "where" not working

isoutamo — Wed, 27 Oct 2021 17:03:55 GMT

I think that this

| where NOT (id_old = id OR user = username)

should be

| where (id_old != id AND user != username)