Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter the following data set using a wildcard field name and greater than filter?

splunker1981
Path Finder
‎10-23-2018 10:01 AM

Hello experts,

I'm stuck trying to figure out how to filter the following data set to get the results shown below. Any assistance would be greatly appreciated.

Sample results

c_1  f_1    f_2 f_3 f_4 f_5
x001f    1  0     0   0     0
x0883g  1   0     0      0      0
x8834c  2   0     0     0      0
x8832d  3   0     0     0      0
x883kd    n           n             n

I'd like to do a filter by using a field wildcard f_* and > 1 and have it return the complete matching line; like the one below. 

    x8834c  2   0     0     0      0
    x8832d  3   0     0     0      0

I tried doing the following, but no luck...

| foreach f_* 
    [ eval total=total + '<<FIELD>>']
    |where total > 1
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-23-2018 10:09 AM

@splunker1981

Can you please add | eval total=0 in you search and try again?

My Sample Search

| makeresults 
| eval _raw="
 c_1     f_1    f_2    f_3    f_4    f_5
 x001f     1    0      0      0      0
 x0883g    1    0      0      0      0
 x8834c    2    0      0      0      0
 x8832d    3    0      0      0      0
" 
| multikv | eval total=0
| foreach f_* 
    [ eval total=total + '<<FIELD>>'] 
| where total > 1

Thanks

0 Karma
Reply

splunker1981
Path Finder
‎10-23-2018 10:58 AM

Thanks for the response! The problem is that it's adding up all the values which is NOT what I want. I just want to iterate through each of the f_* fields, see if the value for each of those fields is > 1 (independent of one another) and print those rows if any of the f_* have a value > 1

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-23-2018 11:07 AM

@splunker1981

Can you please try this?

YOUR_SEARCH | eval status=0
 | foreach f_* 
     [ eval status=if('<<FIELD>>' > 1 AND status==0,1,status) ] | where status=1

Sample:

| makeresults 
 | eval _raw="
  c_1     f_1    f_2    f_3    f_4    f_5
  x001f     1    0      0      0      0
  x0883g    1    0      0      0      0
  x8834c    2    0      0      0      0
  x8832d    3    0      0      0      0
 " 
 | multikv | eval status=0
 | foreach f_* 
     [ eval status=if('<<FIELD>>' > 1 AND status==0,1,status) ] | where status=1
0 Karma
Reply

splunker1981
Path Finder
‎10-23-2018 12:48 PM

Still not working when I run against my data. I did notice that using your command I get the desired results. when I specifically filter using |search for the 10 results that should match, then the search works. But if I remember the |where I only get 1 match....

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-30-2018 09:00 AM

@splunker1981

Apology for a delay in reply. Can you please share more information regarding your search and samples?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...