Dashboards & Visualizations

How to do to extract a particular value for a field

vita86
Explorer

Hello, 

I need help please. 

For purchases field, I want to display that prices equal to  200.

And for sales field, display all. 

index=main sourcetype="*" action=purchase OR action=sales

Can you help me please ? send me a documentation or advice please ? 

Thanks in advance for your help.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

You should try the next query:

index=main sourcetype="*" (action=purchase prices="200") OR (action=sales prices=*)
| table action prices

And if you want to use your own query you should modify it like:

index=main sourcetype="*" action=purchase OR action=sales
| eval status = case(
       action="purchase" AND prices="200", "ok"
       action="sales" AND prices=*, "ok"
       true(), "nok")
| where status = "ok"
| table action prices

 r. Ismo

View solution in original post

0 Karma

gcusello
Legend

Hi @vita86,

you have to use eval command, something like this:

index=main sourcetype="*" action=purchase OR action=sales
| eval purchases=if(action="purchase"),"200",purchases)
| ...

Ciao.

Giuseppe

0 Karma

vita86
Explorer

Hello Giuseppe,

Thank you very much for your answer and your help.

I tried this command : 

index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if((action=="purchase") AND (prices=="200"), "ok", prices)
| where prices = "ok"
| table action prices

but it doesn't work 😞 

result : purchase ok 

whereas i want too have sales for example : 

purchase 200 

sales          300 

sales            50 

......

Thanks in advance

0 Karma

gcusello
Legend

Hi @vita86,

in your search you don't need od double = and parenthesys

index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| where prices = "ok"
| table action prices

But if you want only to filter data for action=purchase AND prices=200, you could use something easier:

index=main sourcetype="*" action=purchase prices=200
| table action prices

 Ciao.

Giuseppe

0 Karma

vita86
Explorer

Hello Giuseppe,

I know this command but i wanted display in my table, i have purchases (just prices=200) and sales (all prices).

For example this result : 

action prices date 

purchase 200 28072020 

sales 50  05062020 

sales 200 10092019 

purchase 200 12102019

..... 

i will add type purchases and sales for my extraction (action prices date type) 

Thanks in advance for your help. 

0 Karma

vita86
Explorer

Giuseppe, 

Thanks for the advice "od double = and parenthesys" 🙂

but The commande doesn't display what i want : 

index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| where prices = "ok"
| table action prices
The result only displays purchase with prices = 200 but no sales.

so I think i have a condition pour sales for example :
index=main sourcetype="*" action=purchase OR action=sales
| eval prices=if(action="purchase" AND prices="200", "ok", prices)
| eval prices=if(action="sales" AND prices=*, "ok", prices)
| where status = "ok"
| table action prices type

If it's not possible, i wiil do two extraction (one for purchases and other for sales).

Thanks in avance.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You should try the next query:

index=main sourcetype="*" (action=purchase prices="200") OR (action=sales prices=*)
| table action prices

And if you want to use your own query you should modify it like:

index=main sourcetype="*" action=purchase OR action=sales
| eval status = case(
       action="purchase" AND prices="200", "ok"
       action="sales" AND prices=*, "ok"
       true(), "nok")
| where status = "ok"
| table action prices

 r. Ismo

View solution in original post

0 Karma

vita86
Explorer

Hello @gcusello and @isoutamo 

Thank you very for your help and explanation, its working 🙂 

I have other question, i have this extraction : 

ref               action            prices
1674822  sales                0
1674822  purchases    200
3062981  purchases    0
3062981  sales               0

in this case, I dont want purchases with prices = 0. 

If action=purchase prices=0 => the ref not display

i want have just this : 

ref               action            prices
1674822  sales                0
1674822  purchases    200

As the ref 3062981 has purchase with price=0, it doesn't display. 

can you help me on the command to use please ? documentation ? 

Thanks in advance.

 

0 Karma

gcusello
Legend

Hi @vita86,

if the answers you received solved your need, please accept the answer for the other people of the community (and karma Points are appreciated by both the contributors 😉 ).

About the new question, please, open a new one.

Ciao.

Giuseppe

0 Karma

gcusello
Legend

Hi @vita86,

try to modify your search with this approach:

index=main sourcetype="*" action=purchase OR action=sales
| eval status=if(action="purchase" AND prices="200", "ok", "noc")
| eval status=if(action="sales" AND prices=*, "ok", "noc")
| where status = "ok"
| table action prices type

Ciao.

Giuseppe

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!