Security & the Enterprise
Much secured. So patch!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query is failing at where condition

swathiadireddy
Loves-to-Learn Everything
‎08-10-2020 05:14 PM
 
Tags (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust
‎08-16-2020 11:46 AM

Did you modify your query before posting here in community or is that the same query where you are facing issue.

and also, provide example output.

————————————
If this helps, give a like below.
0 Karma

swathiadireddy
Loves-to-Learn Everything
‎08-16-2020 01:57 PM

Hi @thambisetty 

I haven't modified the query.

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust
‎08-23-2020 06:53 AM

index=ABC sourcetype=XYZ

|rex user1
| rex Log_ID

 

can you check, is the above query working for you? I don't think it works because there is an error in rex command.

————————————
If this helps, give a like below.
0 Karma

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2020 05:43 PM

I'm not surprised the where command is failing.  Keep in mind the command looks at a single event at a time and asks itself "does this event have a field called 'user1' and a field called 'user2' and do those two fields have the same value?".  The answer, of course, is always "no" because no event has both a user1 and a user2 field.

All is not lost, however.  The two searches can be stitched together using stats.

...
| eval user_type=if(in (ID," AUT22222", " NWC333333"," AUT55555"),"Logout_user",nothing)

| eval user=coalesce(user1, user2)
| stats values(*) as * by user

| stats count(eval(user_type="Logout_user")) as Logout values(user2) as user2
---
If this reply helps you, Karma would be appreciated.

swathiadireddy
Loves-to-Learn Everything
‎08-16-2020 11:39 AM

That didn't work!

Below two query's work and wanted to calculate the Active_user count when user1=user2 

Active_user=Login-Logout

 

 

0 Karma

impurush
Contributor
‎08-10-2020 05:43 PM

Hi @swathiadireddy 

Please try the below query, you are using the user1 inside the subquery which will not give any result.

index=cert sourcetype="pulse*" 
| rex user2 
| rex Log_ID 
| search "AUT22222" OR "NWC333333" OR "AUT55555" 
| eval user_type=if(in (ID," AUT22222", " NWC333333"," AUT55555"),"Logout_user",nothing) 
| append 
    [ search index=ABC sourcetype=XYZ 
    | rex user1 
    | rex Log_ID 
    | search "AUT99999" 
    | eval user_type=case(ID == " AUT99999","Login_user",1=1, nothing) 
    | stats count(eval(user_type="Login_user")) as Login values(user1) as user1 
    | eval Active_user = Login ] 
| where user1=user2 
| stats count(eval(user_type="Logout_user")) as Logout values(user2) as user2 
| eval Active_user = Login - Logout 
| table Active_user
0 Karma

swathiadireddy
Loves-to-Learn Everything
‎08-10-2020 06:30 PM

Thanks @impurush  but it didn't work

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...