Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding filter to query using IN

shrogers
Loves-to-Learn Everything
‎06-03-2021 07:06 AM

Can I please get some assistance on the below?

I'm trying to add a filter TRAN_CLASS!=6 to the below query. When I add the filter to after the index, Total_Pages2 shows a zero.

index=dev sourcetype IN (ibm:was:performanceLog, ibm:was:cp:performanceLog, ar:mdm) source IN ("/data/sharedDir/wp/*/logs/ARWP*Srv*/performance.log", "/data/sharedDir/cp/*/logs/ARCP*Srv*/sspperformance.log", "/data/infamdm_dev/hub/server/logs/EmpiW**bleep**Stats.log") | fields TRAN_TYPE, respTime | stats count(TRAN_TYPE) as Total_Pages1, count(respTime) as "Total_Pages2" | addtotals fieldname="Total Pages" |fields "Total Pages"

Any assistance provided is appreciated.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2021 07:24 AM

Please share the exact query using TRAN_CLASS!=6 so we can see how you're using it.

Have checked that events with TRAN_CLASS values other than 6 have a respTime field?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shrogers
Loves-to-Learn Everything
‎06-03-2021 07:41 AM

Thank you for the assistance.

Please see the query with TRAN_CLASS!=6. TRAN_CLASS is only available in (ibm:was:performanceLog, ibm:was:cp:performanceLog)

index=dev TRAN_CLASS!=6 sourcetype IN (ibm:was:performanceLog, ibm:was:cp:performanceLog, ar:mdm) source IN ("/data/sharedDir/wp/*/logs/ARWP*Srv*/performance.log", "/data/sharedDir/cp/*/logs/ARCP*Srv*/sspperformance.log", "/data/infamdm_dev/hub/server/logs/EmpiW**bleep**Stats.log") | fields TRAN_TYPE, respTime | stats count(TRAN_TYPE) as Total_Pages1, count(respTime) as "Total_Pages2" | addtotals fieldname="Total Pages" |fields "Total Pages"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2021 05:39 AM

Try this alternative

index=dev NOT TRAN_CLASS=6 sourcetype IN (ibm:was:performanceLog, ibm:was:cp:performanceLog, ar:mdm) source IN ("/data/sharedDir/wp/*/logs/ARWP*Srv*/performance.log", "/data/sharedDir/cp/*/logs/ARCP*Srv*/sspperformance.log", "/data/infamdm_dev/hub/server/logs/EmpiW**bleep**Stats.log") | fields TRAN_TYPE, respTime | stats count(TRAN_TYPE) as Total_Pages1, count(respTime) as "Total_Pages2" | addtotals fieldname="Total Pages" |fields "Total Pages"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shrogers
Loves-to-Learn Everything
‎06-04-2021 08:18 AM

Thank you for your assistance. That query works.

My only concern with using NOT instead of "!=" is that NOT will bring back all rows even if TRAN_CLASS=' '. Plus TRAN_CLASS is not a field in "ar:mdm" and just using "!=" will affect respTime.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...