https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320697#M95828 <P>This part <CODE>(cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND==Y")</CODE> makes no sense (it's always true), you may as well leave it out and just use PatnerCode</P> Thu, 07 Sep 2017 18:30:37 GMT s2_splunk 2017-09-07T18:30:37Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320694#M95825 <P>base-search earliest=-1h@m|<BR /> Desk <BR /> cli_attr="MOBILE_IND=N"</P> <P>Mobile <BR /> cli_attr="MOBILE_IND=Y" </P> <P>Emarketing<BR /> cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" PartnerCode=*</P> <P>Non-Emarketing <BR /> cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" NOT PartnerCode=*</P> <P>using these am trying to build a base search </P> <P>|eval deskdev=if(cli_attr=="MOBILE_IND=N","MOBILE_IND=N",NULL)<BR /> |eval mobiledev=if(cli_attr!="MOBILE_IND=N","MOBILE_IND=N",NULL) <BR /> |eval eMarketing=if((cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND==Y") AND (PartnerCode=="<EM>") , "MOBILE_IND=Y",NULL) <BR /> |eval NoneMarketing=if((cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND=Y") AND (PartnerCode!="</EM>"),"MOBILE_IND=Y",NULL)</P> <P>search not able to match the values with original, how would it possible. </P> Tue, 29 Sep 2020 15:37:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320694#M95825 svemurilv 2020-09-29T15:37:52Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320695#M95826 <P>This should work. I recommend using <CODE>null()</CODE> instead of NULL, but that's not your issue.<BR /> Can you provide a sample event? Are you sure your field contents in the events are present and have the <STRONG>exact value</STRONG> you are looking for?</P> <P>This run-anywhere search validates that your query is correct: <CODE>| makeresults | eval cli_attr="MOBILE_IND=N" | eval deskdev=if(cli_attr=="MOBILE_IND=N","MOBILE_IND=N",null())</CODE></P> Thu, 07 Sep 2017 17:56:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320695#M95826 s2_splunk 2017-09-07T17:56:31Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320696#M95827 <P>Am good with the Desktop and Mobile , but am not sure how to write the <CODE>|eval</CODE> condition for Emarketing and NonEmarketing. where i struck </P> Thu, 07 Sep 2017 18:23:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320696#M95827 svemurilv 2017-09-07T18:23:15Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320697#M95828 <P>This part <CODE>(cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND==Y")</CODE> makes no sense (it's always true), you may as well leave it out and just use PatnerCode</P> Thu, 07 Sep 2017 18:30:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320697#M95828 s2_splunk 2017-09-07T18:30:37Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320698#M95829 <P>missing these ?</P> <P>Emarketing<BR /> cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" <CODE>PartnerCode=*</CODE></P> <P>Non-Emarketing <BR /> cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" <CODE>NOT PartnerCode=*</CODE></P> Tue, 29 Sep 2020 15:37:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320698#M95829 svemurilv 2020-09-29T15:37:57Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320699#M95830 <P>What values can cli_attr have other than MOBILE_IND=Y and MOBILE_IND=N?</P> <P>Maybe we can help better if you verbally describe the conditions you want to test for and the resulting values for the eval'ed target field, as I am not clear on what you want your outcome to be.</P> Tue, 29 Sep 2020 15:38:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320699#M95830 s2_splunk 2020-09-29T15:38:00Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320700#M95831 <P>here in the the search we have included a PartnerCode=* and NOT PartnerCode=* there 2 are the differences between emarketing and nonemarketing we should include that part also in the same |eval If condition for each </P> Thu, 07 Sep 2017 19:35:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320700#M95831 svemurilv 2017-09-07T19:35:48Z https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320701#M95832 <P>Like this:</P> <PRE><CODE>base-search earliest=-1h@m | stats count(eval(searchmatch("cli_attr=\"MOBILE_IND=N\""))) AS deskdev count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\""))) AS mobiledev count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\" OR cli_attr=\"MOBILE_IND=N\" PartnerCode=\"*\""))) AS eMarketing count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\" OR cli_attr=\"MOBILE_IND=N\" NOT PartnerCode=\"*\""))) AS NoneMarketing </CODE></PRE> <P>It is hilarious but probably won't fly for you to call <CODE>Non-eMarketing</CODE> by <CODE>None Marketing</CODE>, kind of like a psychologist using <CODE>therpaist.com</CODE>.</P> Fri, 08 Sep 2017 04:56:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-build-a-search-using-4-different-ad-hoc-searches/m-p/320701#M95832 woodcock 2017-09-08T04:56:55Z