Dashboards & Visualizations

Why does my search return shortened number of results

GaryZ
Path Finder

I apologize if the following question might be a bit basic.  But I'm confused with the results.  

When I append the  following code into the "search" line, it returns a shortened list of results. (from 47 to 3) 

AND ("a" in ("a"))

 

original code. 

index=main_service  ABC_DATASET 
Arguments.email="my_email@company_X.com"

| rename device_model as hardware,
device_build as builds,
device_train as trains,
ABC_DATASET.Check_For_Feature_Availability as Check_Feature_Availability


| search (Check_Feature_Availability=false)  AND ("a" in ("a"))

| table builds, trains, Check_Feature_Availability

 

I was expecting to see the same number of results.  Am I wrong about my expectations, or am I missing something here?

TIA

 

 

index=main_service  ABC_DATASET 
Arguments.email="my_email@company_X.com"

| rename device_model as hardware,
device_build as builds,
device_train as trains,
ABC_DATASET.Check_For_Feature_Availability as Check_Feature_Availability


| search (Check_Feature_Availability=false)  AND ("a" in ("a"))

| table builds, trains, Check_Feature_Availability

Labels (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust
| search (Check_Feature_Availability=false) AND ("a" in ("a"))

is saying "does field "a" have a value of "a", it is not comparing text "a" with text "a".

Compare that with 

| where (Check_Feature_Availability="false") AND ("a" IN ("a"))

 Note added quotes around "false". That is comparing text "a" with text "a" and will match.

What is the purpose of that constraint?

View solution in original post

0 Karma

GaryZ
Path Finder

What I'm trying to achieve from this, is try to implement an "exclusive or" logic.

|search (Check_Feature_Availability=false) AND NOT ("a" IN ("a", "b", "c")) OR 
 (Check_Feature_Availability=true) AND ("a" IN ("a", "b", "c")) 

 

TIA

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So what is "a" in the first part of the statement?

Your statement is saying does field "a" (NOT) have a value of a, b or c

What is field "a" in your context and do they all have the value "a"?

0 Karma

GaryZ
Path Finder
|search (Check_Feature_Availability=false) AND NOT ("Choice1" IN ("Choice1", "Choice2", "Choice3")) OR 
 (Check_Feature_Availability=true) AND ("Choice1" IN ("Choice1", "Choice2", "Choice3"))

 

The list is really all the options from a multi-valued dropdown menu.  The values are all different.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust
| search (Check_Feature_Availability=false) AND ("a" in ("a"))

is saying "does field "a" have a value of "a", it is not comparing text "a" with text "a".

Compare that with 

| where (Check_Feature_Availability="false") AND ("a" IN ("a"))

 Note added quotes around "false". That is comparing text "a" with text "a" and will match.

What is the purpose of that constraint?

0 Karma

GaryZ
Path Finder

Thank you @bowesmana,

 

I was looking for 

| where (Check_Feature_Availability="false") AND ("a" IN ("a"))

 

Thank you.

0 Karma

GaryZ
Path Finder

I am trying to dynamically alter my searched data, by utilizing a value from my data source (Check_Feature_Availability - boolean data) with a selected value from a multi-dropdown in the dashboard (list of strings).  

0 Karma

bowesmana
SplunkTrust
SplunkTrust

OK, so I assume the list of strings are a, b and c, but what is the FIRST "a" in your statement

"a" in ("a","b","c")

as I said in my first reply, the search statement is comparing FIELD "a" with the string values of the IN part. Is your field "a" something that has those values?

For you to get all results simply adding that AND statement, would imply field "a" has "a" in all your events.

0 Karma

GaryZ
Path Finder

I'm looking for a particular string in the list of strings.   The "a" in the first part is not from a field,  it's just a string that I'm trying to compare against.  

 

I'm trying to implement the following logic in python

"word1" in ['word1', 'word2', ..., 'word_x', ]

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...