topic Re: Filtering in Splunk Search

Filtering

smanojkumar — Tue, 30 Jan 2024 15:09:57 GMT

Hi Splunkers,

I dont need the value in first line and need that value later in search to filter, so I tried tis way to skip the value
dmz

type IN (if($machine$=="DMZ",true,$machine$)

Is that will work?

Thanks in Advance!

Re: Filtering

richgalloway — Tue, 30 Jan 2024 15:00:09 GMT

The IN operator expects a parenthesized list of values. The if function is not valid in the search command so, no this will not work.

Re: Filtering

smanojkumar — Wed, 31 Jan 2024 07:29:42 GMT

Hi @richgalloway ,
Thanks for your response!
I'm using this search in the macro definition, i want this to be fixed any possible ways of tweak this command to make it working.

I need that value in later part of this search, I just need to skip at this moment.

Thanks in Advance!
Manoj Kumar S

Re: Filtering

PickleRick — Wed, 31 Jan 2024 07:47:38 GMT

It's not clear what your data is and what you want to get from it.

But as general rule - you can't remove something from your data and process it later. At every pipe in your pipeline you have only the data you got from earliest steps.

So for example if you do:

index=myindex
| fields - source
| eval sourcematch=if(source="mysource",1,0)

The field sourcematch in your results will always be 0, because you remove the field "source" from your resulting events so you can't rely on it to calculate something in further steps on your processing pipeline.

Re: Filtering

smanojkumar — Wed, 31 Jan 2024 09:55:25 GMT

Hi @PickleRick ,

I don't want to remove the value, I just want to skip for that instance only if DMZ is passed as token value, when other values are passed, the condition needs to be there,
I'm having a value from dashboard input dropdown to macro, where I need the condition to skip when DMZ is passed.

Thanks in Advance!
Manoj Kumar S

Re: Filtering

PickleRick — Wed, 31 Jan 2024 10:07:29 GMT

What do you mean by "skip"?

Re: Filtering

smanojkumar — Wed, 31 Jan 2024 10:10:29 GMT

Hi @PickleRick ,
I don't want that condition to be considered, Its a multiselect value, when some other values are passed along with this, its working but when DMZ alone is passed, its not working, because in type, we don't categorized dmz, so we weren't use that value, so I want to skip only for that value, is that possible.

Re: Filtering

PickleRick — Wed, 31 Jan 2024 10:15:17 GMT

For conditional evaluations you can use if() or case() functions with the eval command.

I still don't understand what you want to "not consider". You want to return values not matching a filter? Evaluate a field only for some subset of events? Something else?

A multiselect is a widget in a dashboard. You're posting this in Splunk Search section. What's the connection between one and the other? Please post some sample of events (anonymized if needed), desired outcome and additional conditions affecting the search (like this multisearch).