Hi,
I have a requirement to use write a splunk query which uses ES based data model to better make use of the fields provided and also I want to limit my search to my custom index values.
So, for example I want to make use of Authentication.Authentication to return fields action and _time using Authentication datamodel and the index values limited to A,B,C only and I tried with a query like below and it doesn't work.
|`tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m |where Authentication.index IN(index=A,B,C)|timechart minspan=10m count by Authentication.action|`drop_dm_object_name("Authentication")`
Thanks in advance!!
Hi, I thought I replied here but somehow I am unable to view my reply.
The above where condition is not working when I have 10-12 index to use inside IN(A,B,C.....K,L)
Issue 1: It says that where condition is missing closure with )" when I use more that 2 index values
Issue 2: It returns the events but it won't display the events ( I tried verbose and fast modes) but I can't see the events ( I do encounter this situation even when no syntax errors/ no error message) not sure why this situation happens, appreciate response for this condition as well.
Please advise how how I can use filter the data model to fit only to my index values
Thank you, this works 🙂
The syntax used for the IN operator is incorrect. Try
... |where Authentication.index IN(A,B,C)| ...