Dashboards & Visualizations

How to do to extract a particular value for a field

vita86
Explorer

Hello, 

I need help please. 

For purchases field, I want to display that prices equal to  200.

And for sales field, display all. 

index=main sourcetype="*" action=purchase OR action=sales

Can you help me please ? send me a documentation or advice please ? 

Thanks in advance for your help.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

You should try the next query:

index=main sourcetype="*" (action=purchase prices="200") OR (action=sales prices=*)
| table action prices

And if you want to use your own query you should modify it like:

index=main sourcetype="*" action=purchase OR action=sales
| eval status = case(
       action="purchase" AND prices="200", "ok"
       action="sales" AND prices=*, "ok"
       true(), "nok")
| where status = "ok"
| table action prices

 r. Ismo

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vita86,

you have to use eval command, something like this:

index=main sourcetype="*" action=purchase OR action=sales
| eval purchases=if(action="purchase"),"200",purchases)
| ...

Ciao.

Giuseppe

0 Karma

vita86
Explorer

Hello Giuseppe,

Thank you very much for your answer and your help.

I tried this command : 

index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if((action=="purchase") AND (prices=="200"), "ok", prices)
| where prices = "ok"
| table action prices

but it doesn't work 😞 

result : purchase ok 

whereas i want too have sales for example : 

purchase 200 

sales          300 

sales            50 

......

Thanks in advance

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vita86,

in your search you don't need od double = and parenthesys

index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| where prices = "ok"
| table action prices

But if you want only to filter data for action=purchase AND prices=200, you could use something easier:

index=main sourcetype="*" action=purchase prices=200
| table action prices

 Ciao.

Giuseppe

0 Karma

vita86
Explorer

Hello Giuseppe,

I know this command but i wanted display in my table, i have purchases (just prices=200) and sales (all prices).

For example this result : 

action prices date 

purchase 200 28072020 

sales 50  05062020 

sales 200 10092019 

purchase 200 12102019

..... 

i will add type purchases and sales for my extraction (action prices date type) 

Thanks in advance for your help. 

0 Karma

vita86
Explorer

Giuseppe, 

Thanks for the advice "od double = and parenthesys" 🙂

but The commande doesn't display what i want : 

index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| where prices = "ok"
| table action prices
The result only displays purchase with prices = 200 but no sales.

so I think i have a condition pour sales for example :
index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| eval prices=if(action="sales" AND prices=*, "ok", prices)
| where status = "ok"
| table action prices type

If it's not possible, i wiil do two extraction (one for purchases and other for sales).

Thanks in avance.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You should try the next query:

index=main sourcetype="*" (action=purchase prices="200") OR (action=sales prices=*)
| table action prices

And if you want to use your own query you should modify it like:

index=main sourcetype="*" action=purchase OR action=sales
| eval status = case(
       action="purchase" AND prices="200", "ok"
       action="sales" AND prices=*, "ok"
       true(), "nok")
| where status = "ok"
| table action prices

 r. Ismo

0 Karma

vita86
Explorer

Hello @gcusello and @isoutamo 

Thank you very for your help and explanation, its working 🙂 

I have other question, i have this extraction : 

ref               action            prices
1674822  sales                0
1674822  purchases    200
3062981  purchases    0
3062981  sales               0

in this case, I dont want purchases with prices = 0. 

If action=purchase prices=0 => the ref not display

i want have just this : 

ref               action            prices
1674822  sales                0
1674822  purchases    200

As the ref 3062981 has purchase with price=0, it doesn't display. 

can you help me on the command to use please ? documentation ? 

Thanks in advance.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vita86,

if the answers you received solved your need, please accept the answer for the other people of the community (and karma Points are appreciated by both the contributors 😉 ).

About the new question, please, open a new one.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vita86,

try to modify your search with this approach:

index=main sourcetype="*" action=purchase OR action=sales
| eval status=if(action="purchase" AND prices="200", "ok", "noc")
| eval status=if(action="sales" AND prices=*, "ok", "noc")
| where status = "ok"
| table action prices type

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...