Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

pivot | where

kensternberg
Splunk Employee
Splunk Employee
‎05-14-2014 09:46 AM

I want to use a 'where' clause (which allows the comparison of two fields) as a pivot constraint. My original search is 

index=maillog (event=SEND OR event=RECEIVE)

Which gives me all the successful mail handling events. The input source breaks out the root domain of the sender and receiver into individual fields, and I want to be able to say

| where sender_domain=receiver_domain

In a standard search, this was easy. I'd like to use this in pivot, but I can't figure out how to make the 'where' clause a child constraint of the main search, so I can say "show me the maillog of internal communications."

Help, please?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kensternberg
Splunk Employee
Splunk Employee
‎05-14-2014 11:57 AM

It turns out you can't create a where clause in Pivot.

But, you can create a calculated field. In the Data Model Editor, Add Attribute -> Eval Expression. I used the field name is_internal_communication, and an evaluation 

if (sender_domain = receiver_domain, 1, 0)

After previewing and saving, I was able to create a new child object with the constraint is_internal_communication = 1, and obviously I could add a child object with the constraint in_internal_communication = 0 for external communications.

View solution in original post

Reply
Solved! Jump to solution

kensternberg
Splunk Employee
Splunk Employee
‎05-14-2014 01:23 PM

I tried that. The constraint always wants to treat the right side of the expression as a string, not a field name. The eval method described in the answer I posted was much more effective.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-14-2014 12:51 PM

But you will not need to specify 'where' keyword. You can just specify the condition (" sender_domain=receiver_domain") directly in the "Additional constraints" text area.

0 Karma
Reply
Solved! Jump to solution

kensternberg
Splunk Employee
Splunk Employee
‎05-14-2014 12:33 PM

@somesoni2: The problem is that the 'where' clause isn't a legal operator in the constraints object.

0 Karma
Reply
Solved! Jump to solution
Solution

kensternberg
Splunk Employee
Splunk Employee
‎05-14-2014 11:57 AM

It turns out you can't create a where clause in Pivot.

But, you can create a calculated field. In the Data Model Editor, Add Attribute -> Eval Expression. I used the field name is_internal_communication, and an evaluation 

if (sender_domain = receiver_domain, 1, 0)

After previewing and saving, I was able to create a new child object with the constraint is_internal_communication = 1, and obviously I could add a child object with the constraint in_internal_communication = 0 for external communications.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-14-2014 11:26 AM

You can create a Child to your data model and add Child object. In Child object you can specify your where clause as "Additional Constraints". Is that you're looking for?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...