Security & the Enterprise
Much secured. So patch!
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Query is failing at where condition

swathiadireddy
Loves-to-Learn Everything
‎08-10-2020 05:14 PM
 
Tags (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust
‎08-16-2020 11:46 AM

Did you modify your query before posting here in community or is that the same query where you are facing issue.

and also, provide example output.

————————————
If this helps, give a like below.
0 Karma

swathiadireddy
Loves-to-Learn Everything
‎08-16-2020 01:57 PM

Hi @thambisetty 

I haven't modified the query.

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust
‎08-23-2020 06:53 AM

index=ABC sourcetype=XYZ

|rex user1
| rex Log_ID

 

can you check, is the above query working for you? I don't think it works because there is an error in rex command.

————————————
If this helps, give a like below.
0 Karma

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2020 05:43 PM

I'm not surprised the where command is failing.  Keep in mind the command looks at a single event at a time and asks itself "does this event have a field called 'user1' and a field called 'user2' and do those two fields have the same value?".  The answer, of course, is always "no" because no event has both a user1 and a user2 field.

All is not lost, however.  The two searches can be stitched together using stats.

...
| eval user_type=if(in (ID," AUT22222", " NWC333333"," AUT55555"),"Logout_user",nothing)

| eval user=coalesce(user1, user2)
| stats values(*) as * by user

| stats count(eval(user_type="Logout_user")) as Logout values(user2) as user2
---
If this reply helps you, Karma would be appreciated.

swathiadireddy
Loves-to-Learn Everything
‎08-16-2020 11:39 AM

That didn't work!

Below two query's work and wanted to calculate the Active_user count when user1=user2 

Active_user=Login-Logout

 

 

0 Karma

impurush
Contributor
‎08-10-2020 05:43 PM

Hi @swathiadireddy 

Please try the below query, you are using the user1 inside the subquery which will not give any result.

index=cert sourcetype="pulse*" 
| rex user2 
| rex Log_ID 
| search "AUT22222" OR "NWC333333" OR "AUT55555" 
| eval user_type=if(in (ID," AUT22222", " NWC333333"," AUT55555"),"Logout_user",nothing) 
| append 
    [ search index=ABC sourcetype=XYZ 
    | rex user1 
    | rex Log_ID 
    | search "AUT99999" 
    | eval user_type=case(ID == " AUT99999","Login_user",1=1, nothing) 
    | stats count(eval(user_type="Login_user")) as Login values(user1) as user1 
    | eval Active_user = Login ] 
| where user1=user2 
| stats count(eval(user_type="Logout_user")) as Logout values(user2) as user2 
| eval Active_user = Login - Logout 
| table Active_user
0 Karma

swathiadireddy
Loves-to-Learn Everything
‎08-10-2020 06:30 PM

Thanks @impurush  but it didn't work

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...