https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/619941#M215481 <P>I have 3 date columns.I have already calculated the difference between current day and the diff is in days are the values in the 3 columns.&nbsp;&nbsp;</P> <TABLE border="0" width="192" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="17">Col1</TD> <TD width="64">Col2</TD> <TD width="64">Col3</TD> </TR> <TR> <TD height="17">12</TD> <TD>&nbsp;</TD> <TD>7</TD> </TR> <TR> <TD height="17">2</TD> <TD>34</TD> <TD>45</TD> </TR> <TR> <TD height="17">15</TD> <TD>25</TD> <TD>&nbsp;</TD> </TR> <TR> <TD height="17">250</TD> <TD>56</TD> <TD>120</TD> </TR> <TR> <TD height="17">21</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> </TBODY> </TABLE> <P>Required filter :</P> <P>- i have&nbsp; to filter only days &lt;=40 in all 3 columns.</P> <P>- If a column has null and other 2 columns have values &lt;=40 then they need to be shown</P> <P>-if a column or 2 column has null and rest other column has value &lt;=40 they need to displayed</P> <P>-if a column is null and other column values are greater &gt;40 then they need to removed from scope.</P> <P>Please let me know the search .</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 08 Nov 2022 15:59:01 GMT dtccsundar 2022-11-08T15:59:01Z https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/619941#M215481 <P>I have 3 date columns.I have already calculated the difference between current day and the diff is in days are the values in the 3 columns.&nbsp;&nbsp;</P> <TABLE border="0" width="192" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="17">Col1</TD> <TD width="64">Col2</TD> <TD width="64">Col3</TD> </TR> <TR> <TD height="17">12</TD> <TD>&nbsp;</TD> <TD>7</TD> </TR> <TR> <TD height="17">2</TD> <TD>34</TD> <TD>45</TD> </TR> <TR> <TD height="17">15</TD> <TD>25</TD> <TD>&nbsp;</TD> </TR> <TR> <TD height="17">250</TD> <TD>56</TD> <TD>120</TD> </TR> <TR> <TD height="17">21</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> </TBODY> </TABLE> <P>Required filter :</P> <P>- i have&nbsp; to filter only days &lt;=40 in all 3 columns.</P> <P>- If a column has null and other 2 columns have values &lt;=40 then they need to be shown</P> <P>-if a column or 2 column has null and rest other column has value &lt;=40 they need to displayed</P> <P>-if a column is null and other column values are greater &gt;40 then they need to removed from scope.</P> <P>Please let me know the search .</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 08 Nov 2022 15:59:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/619941#M215481 dtccsundar 2022-11-08T15:59:01Z https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/619942#M215482 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170299">@dtccsundar</a>,</P><P>you have to create a filter like this:</P><LI-CODE lang="markup">&lt;your search&gt; | fillnull value="-" Col1 | fillnull value="-" Col2 | fillnull value="-" Col3 | search (Col1&lt;=40 Col2&lt;=40 Col3&lt;=40) OR (Col1="-" Col2&lt;=40 Col3&lt;=40) OR (Col1&lt;=40 Col2="-" Col3&lt;=40) OR (Col1&lt;=40 Col2&lt;=40 Col3="-") OR (Col1="-" Col2="-" Col3&lt;=40) OR (Col1="-" Col2&lt;=40 Col3="-") OR (Col1&lt;=40 Col2="-" Col3="-")</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Nov 2022 17:18:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/619942#M215482 gcusello 2022-11-07T17:18:54Z https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/620046#M215525 <P>Thank you .</P><P>But by using this , the difference in days less than 40 days are also removed .</P><P>Kindly help me with this search.</P><P>&nbsp;</P> Tue, 08 Nov 2022 06:34:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/620046#M215525 dtccsundar 2022-11-08T06:34:05Z https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/620053#M215528 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170299">@dtccsundar</a>,</P><P>let me understand: what do you mean with "<SPAN>by using this , the difference in days less than 40 days are also removed "?</SPAN></P><P><SPAN>I built your all the conditions you described, what are conditions removed?</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Tue, 08 Nov 2022 07:41:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/620053#M215528 gcusello 2022-11-08T07:41:53Z https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/620058#M215531 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170299">@dtccsundar</a>&nbsp;</P><P>Are you looking for this?</P><LI-CODE lang="markup">YOUR_SEARCH |where (isnull(Col1) OR Col1="" OR Col1&gt;40) OR ((isnull(Col2) OR Col2="" OR Col2&gt;40)) OR (isnull(Col3) OR Col3="" OR Col3&gt;40)</LI-CODE><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="Col1 Col2 Col3 12 7 2 34 45 15 25 250 56 120 21 " | multikv forceheader=1 | table Col1 Col2 Col3 | rename comment as "Upto now is for data only" | where (isnull(Col1) OR Col1="" OR Col1&gt;40) OR ((isnull(Col2) OR Col2="" OR Col2&gt;40)) OR (isnull(Col3) OR Col3="" OR Col3&gt;40)</LI-CODE><P><BR />KV&nbsp;</P> Tue, 08 Nov 2022 08:16:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-perform-the-below-condition-in-Splunk-search/m-p/620058#M215531 kamlesh_vaghela 2022-11-08T08:16:44Z