Solved: where and eval clause does not work with "AND" con...

leonjxtan · ‎05-17-2017

Firstly, with below search, there are events returned:

|from datamodel foo.fooo |search Counterparty=abc TransactionType=xyz

But with below "where", it does not return any events
|from datamodel foo.fooo |where Counterparty=abc AND TransactionType=xyz

I checked WHERE document and could not get a clue what went wrong. Could you help?

MuS · ‎05-17-2017

Can you try it like this:

  |from datamodel foo.fooo |where Counterparty="abc" AND TransactionType="xyz"

View solution in original post

puneethgowda · ‎05-18-2017

|from datamodel foo.fooo | search Counterparty="abc" OR TransactionType="xyz"

MuS · ‎05-18-2017

This will give you the wrong results, because it is a OR search.

MuS · ‎05-17-2017

Can you try it like this:

  |from datamodel foo.fooo |where Counterparty="abc" AND TransactionType="xyz"

leonjxtan · ‎05-17-2017

yes worked. Thanks. So where and eval require explicit indication of strings/numbers?

MuS · ‎05-18-2017

Yes, as @woodcock mentioned where will use the right side of the = as field names because it is eval based. search on the other side will treat as strings/numbers.

Feel free to accept this answer if it solved your problem ...

cheers, MuS

woodcock · ‎05-18-2017

Otherwise it assumes that they are field names.

where and eval clause does not work with "AND" condition?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms