topic Re: How do I filter out results of a search AFTER the search? in Splunk Search

How do I filter out results of a search AFTER the search?

ZacEsa — Mon, 22 Aug 2016 03:27:01 GMT

Basically I have a search from multiple different sources with lots of raw rex field extractions and transactions and evals. Is it possible to filter out the results after all of those?

E.g. Only show results which fulfil ANY of the below criteria;

If eventcount>2 AND field1=somevaluehere
OR If eventcount>5 AND field1=anothervaluehere
OR If field2!=null()

I'm wondering if this can be done after all the search, rex, transaction, eval and all.

Re: How do I filter out results of a search AFTER the search?

ddrillic — Mon, 22 Aug 2016 03:39:06 GMT

You should be able to do it with the | where command after your complex query, something like

| where (If eventcount>2 AND field1=somevaluehere) OR ....

Re: How do I filter out results of a search AFTER the search?

sundareshr — Mon, 22 Aug 2016 03:43:11 GMT

Sure you can. Try this

your base search | search (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)

*OR*

your base search | where (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Mon, 22 Aug 2016 06:11:13 GMT

Strangely, where doesn't work for me.

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Mon, 22 Aug 2016 06:11:20 GMT

Strangely, where doesn't work for me.

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Mon, 22 Aug 2016 08:56:24 GMT

Your first solution doesn't work too.

Re: How do I filter out results of a search AFTER the search?

Runals — Mon, 22 Aug 2016 11:21:12 GMT

Do you have a field called eventcount or is that field something you first need Splunk to calculate? The process both folks have provided (where or search) do work. The only difference might be

your base search | <your transforming & field extracting commands> | where blah blah blah

Re: How do I filter out results of a search AFTER the search?

sundareshr — Mon, 22 Aug 2016 13:05:24 GMT

If you are using transaction, you will have to use mv functions for field1 & field 2. So try something like this

 your base search | where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Tue, 23 Aug 2016 01:16:24 GMT

When you do a transaction, it becomes eventcount. I have no idea why neither works for me. Does where not work for fields extracted by rex? Also, I get this error when trying to run the suggestion after yours(see below comment.)

Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Tue, 23 Aug 2016 01:17:07 GMT

I get the error below when I try to run where (eventcount>2 AND mvfind(field1, somevaluehere))

Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Tue, 23 Aug 2016 01:29:44 GMT

I believe one of my issue for where is that I have a concatenated field called rules. And the field doesn't use null() but instead, uses "" as when I use null(), the fields do not concatenate. So, where I try to use where rules!="", it doesn't work.

Re: How do I filter out results of a search AFTER the search?

sundareshr — Tue, 23 Aug 2016 01:58:11 GMT

This is the where segment

| where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)

Re: How do I filter out results of a search AFTER the search?

ZacEsa — Thu, 25 Aug 2016 04:19:31 GMT

I've got it to start working but, I'm having a peculiar issue. When I use where ((acduser!="user1" OR acduser!="user2") AND rules="After Office Hours") it's still showing events which are "After Office Hours" AND if user is user1 or user2. From the above where, shouldn't it show "After Office Hours" if user is NOT user1 or user2?