Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to filter based on 2 fields- Help with syntax

POR160893
Builder
‎11-23-2022 02:05 AM

Hey, I have a big query and I need to have a command on the query that would filter all  Asset_State!="Development" OR Asset_State!="Pre-Production", bit for ONLY Asset_Environment!="PKI  AND Offline" Status="2".

If tried the following command:
| if( Asset_Environment!="PKI  AND Offline" Status="2".,search NOT (Asset_State!="Development" OR Asset_State!="Pre-Production"))

 

I know the syntax is wrong, can you help ?
Many thanks

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-23-2022 02:14 AM

Hi @POR160893,

you canoot insert an if conditon in a search, it's possible to use if only in eval command, but you could use something like this, to adapt to your situation:

if you want to exclude events with Asset_State!="Development" OR Asset_State!="Pre-Production", bit for ONLY Asset_Environment!="PKI  AND Offline" Status="2":

...
| search NOT ((Asset_State!="Development" OR Asset_State!="Pre-Production") Asset_Environment!="PKI Offline_Status=2)

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...