topic Re: variable where clause in Splunk Search

variable where clause

lain179 — Mon, 13 May 2013 19:18:57 GMT

Hi,

I need to set where clause based on certain condition. For example, if value=a, then where should be x>1. If value=b, then where clause should have x>100. If value=c, then x>1000, etc.

So I did something like:

eval condition=if(value=a,x>1,if(value=b,x>100,x>1000)) | stats values(blahblah) | where condition

As expected, that doesn't work =D

Please help and let me know how I can set up variable where clause.

Thanks!

Re: variable where clause

sideview — Mon, 13 May 2013 19:32:00 GMT

just move the conditional logic into the eval and have the eval create a field whose value is 1 or 0. then your where clause can just check for 1.

Like so:

eval is_match=case(value=="a" AND x>1,1,value=="b" AND x>100,1,x>1000,1,1==1,0) | stats values(blahblah) | where is_match="1"

Re: variable where clause

lain179 — Mon, 13 May 2013 19:39:10 GMT

May be I am doing something wrong:

My search:

sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* AND NOT (Account_Name=@@*) AND Client_Host=$click.value$| stats values(Account_Name) | where conditional | eval conditional = case($click.name2$ = InternalCount AND len(Account_Name)=3, 1,$click.name2$=AdminCount AND like(Account_Name,"%admin%"),1,$click.name2$=ClientCount AND len(Account_Name)!=3,1,1==1,0) | stats values(Account_Name) | where conditional="1"

Re: variable where clause

lain179 — Mon, 13 May 2013 19:39:15 GMT

My search result

The job appears to have expired or has been canceled. Splunk could not retrieve data for this search.

sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* AND NOT (Account_Name=@@*) AND Client_Host=HL112SPRAX04| stats values(Account_Name) | where conditional | eval conditional = case(ClientCount = InternalCount AND len(Account_Name)=3, 1,ClientCount=AdminCount AND like(Account_Name,"%admin%"),1,ClientCount=ClientCount AND len(Account_Name)!=3,1,1==1,0) | stats values(Account_Name) | where conditional="1"

Re: variable where clause

sideview — Mon, 13 May 2013 19:57:45 GMT

Run this same search, but end it after the | stats values(Account_Name) I'm not sure what you think stats values() does, but it doesn't do that. 😃 after that stats vlaues clause you'll have exactly one row, with exactly one field, whose field name is "values(AccountName)". So nothing after that will work as you expect. Also the extra | where conditional | clause looks like a typo.

Re: variable where clause

aholzer — Mon, 13 May 2013 20:01:05 GMT

Make sure that you list the fields in the original search that you will need in the drilldown. Otherwise your parent module won't pass down the fields.

Example:
Parent:
search "blah" | fields firstname, age
Drilldown:
search firstname=$click.name1$ AND lastname=$click.name2$ | table firstname, lastname, age

The above won't work, because your parent module will not pass the "lastname" field to the child module.

To make it work just include all the fields that you will need downstream in your parent module.

Re: variable where clause

lain179 — Mon, 13 May 2013 20:44:32 GMT

Both of you are correct. It was a stupid typo. Here is my new search and it works!!! Thanks guys.

sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* AND NOT (Account_Name=@@*) AND Client_Host=$click.value$ | eval status= if(len(Account_Name)=3, "InternalCount", if(like(Account_Name,"%admin%"),"AdminCount","ClientCount")) | stats values(Account_Name) values(status) as status by _time | where status="$click.name2$"