Solved: Re: where and eval clause does not work with "AND"...

leonjxtan · ‎05-17-2017

Firstly, with below search, there are events returned:

|from datamodel foo.fooo |search Counterparty=abc TransactionType=xyz

But with below "where", it does not return any events
|from datamodel foo.fooo |where Counterparty=abc AND TransactionType=xyz

I checked WHERE document and could not get a clue what went wrong. Could you help?

MuS · ‎05-17-2017

Can you try it like this:

  |from datamodel foo.fooo |where Counterparty="abc" AND TransactionType="xyz"

View solution in original post

puneethgowda · ‎05-18-2017

|from datamodel foo.fooo | search Counterparty="abc" OR TransactionType="xyz"

MuS · ‎05-18-2017

This will give you the wrong results, because it is a OR search.

MuS · ‎05-17-2017

Can you try it like this:

  |from datamodel foo.fooo |where Counterparty="abc" AND TransactionType="xyz"

leonjxtan · ‎05-17-2017

yes worked. Thanks. So where and eval require explicit indication of strings/numbers?

MuS · ‎05-18-2017

Yes, as @woodcock mentioned where will use the right side of the = as field names because it is eval based. search on the other side will treat as strings/numbers.

Feel free to accept this answer if it solved your problem ...

cheers, MuS

woodcock · ‎05-18-2017

Otherwise it assumes that they are field names.

where and eval clause does not work with "AND" condition?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!