Hello,
I need help please.
For purchases field, I want to display that prices equal to 200.
And for sales field, display all.
index=main sourcetype="*" action=purchase OR action=sales
Can you help me please ? send me a documentation or advice please ?
Thanks in advance for your help.
Hi
You should try the next query:
index=main sourcetype="*" (action=purchase prices="200") OR (action=sales prices=*)
| table action prices
And if you want to use your own query you should modify it like:
index=main sourcetype="*" action=purchase OR action=sales
| eval status = case(
action="purchase" AND prices="200", "ok"
action="sales" AND prices=*, "ok"
true(), "nok")
| where status = "ok"
| table action prices
r. Ismo
Hi @vita86,
you have to use eval command, something like this:
index=main sourcetype="*" action=purchase OR action=sales
| eval purchases=if(action="purchase"),"200",purchases)
| ...
Ciao.
Giuseppe
Hello Giuseppe,
Thank you very much for your answer and your help.
I tried this command :
index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if((action=="purchase") AND (prices=="200"), "ok", prices)
| where prices = "ok"
| table action prices
but it doesn't work 😞
result : purchase ok
whereas i want too have sales for example :
purchase 200
sales 300
sales 50
......
Thanks in advance
Hi @vita86,
in your search you don't need od double = and parenthesys
index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| where prices = "ok"
| table action prices
But if you want only to filter data for action=purchase AND prices=200, you could use something easier:
index=main sourcetype="*" action=purchase prices=200
| table action prices
Ciao.
Giuseppe
Hello Giuseppe,
I know this command but i wanted display in my table, i have purchases (just prices=200) and sales (all prices).
For example this result :
action prices date
purchase 200 28072020
sales 50 05062020
sales 200 10092019
purchase 200 12102019
.....
i will add type purchases and sales for my extraction (action prices date type)
Thanks in advance for your help.
Giuseppe,
Thanks for the advice "od double = and parenthesys" 🙂
but The commande doesn't display what i want :
index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| where prices = "ok"
| table action prices
The result only displays purchase with prices = 200 but no sales.
so I think i have a condition pour sales for example :
index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| eval prices=if(action="sales" AND prices=*, "ok", prices)
| where status = "ok"
| table action prices type
If it's not possible, i wiil do two extraction (one for purchases and other for sales).
Thanks in avance.
Hi
You should try the next query:
index=main sourcetype="*" (action=purchase prices="200") OR (action=sales prices=*)
| table action prices
And if you want to use your own query you should modify it like:
index=main sourcetype="*" action=purchase OR action=sales
| eval status = case(
action="purchase" AND prices="200", "ok"
action="sales" AND prices=*, "ok"
true(), "nok")
| where status = "ok"
| table action prices
r. Ismo
Thank you very for your help and explanation, its working 🙂
I have other question, i have this extraction :
ref action prices
1674822 sales 0
1674822 purchases 200
3062981 purchases 0
3062981 sales 0
in this case, I dont want purchases with prices = 0.
If action=purchase prices=0 => the ref not display
i want have just this :
ref action prices
1674822 sales 0
1674822 purchases 200
As the ref 3062981 has purchase with price=0, it doesn't display.
can you help me on the command to use please ? documentation ?
Thanks in advance.
Hi @vita86,
if the answers you received solved your need, please accept the answer for the other people of the community (and karma Points are appreciated by both the contributors 😉 ).
About the new question, please, open a new one.
Ciao.
Giuseppe
Hi @vita86,
try to modify your search with this approach:
index=main sourcetype="*" action=purchase OR action=sales
| eval status=if(action="purchase" AND prices="200", "ok", "noc")
| eval status=if(action="sales" AND prices=*, "ok", "noc")
| where status = "ok"
| table action prices type
Ciao.
Giuseppe