Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I add where statement but only if somethin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
06-29-2018
01:48 PM
Hello experts,
I have a search that I am trying to add a where statement to which compares fieldvalueA to fieldvalueB. where statement works great but I'd like to only hit the where statement only if a specific field does not exist. Hope that makes sense
My search that currently works looks something like this
searchHere (index=xyz sourcetype=xxx) OR (index=yyy sourcetype=tttt)
|stats values(x) values(y) by fieldY
|where test1=test2
What I'd like to do is; if the second sourcetype does not return in the result-set then don't execute the where statement.
searchHere (index=xyz sourcetype=xxx) OR (index=yyy sourcetype=tttt)
|stats values(x) values(y) by fieldY
|where test1=test2 if(exists(sourcetype=ttt)
Pretty sure there's a better way to do that, hoping someone can point me in the right direction.
Cheers and thanks for the help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-29-2018
08:09 PM
You were so close!
(index="1" AND sourcetype="1") OR (index="2" sourcetype="2")
|eval joiner=coalesce(uqIDX, buildIDX, "JUSTINCASE")
|eval sourcetype1_value=if((sourcetype="1"), coalesce(sourcetype1_value, "0_no_build"), null())
|eval sourcetype2_value=if((sourcetype="2"), coalesce(sourcetype2_value, "Manual"), null())
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) BY joiner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-29-2018
08:09 PM
You were so close!
(index="1" AND sourcetype="1") OR (index="2" sourcetype="2")
|eval joiner=coalesce(uqIDX, buildIDX, "JUSTINCASE")
|eval sourcetype1_value=if((sourcetype="1"), coalesce(sourcetype1_value, "0_no_build"), null())
|eval sourcetype2_value=if((sourcetype="2"), coalesce(sourcetype2_value, "Manual"), null())
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) BY joiner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-29-2018
02:15 PM
So if there is no data coming from sourcetype=ttt (which will be aggregated by your stats if present), then do not apply any filter? If this is correct, give this a try
searchHere (index=xyz sourcetype=xxx) OR (index=yyy sourcetype=tttt)
|stats values(x) values(y) values(sourcetype) as sts by fieldY
|where test1=test2 AND isnotnull(mvfilter(match(sts,"tttt")))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
06-29-2018
02:52 PM
That worked but only if both tests matched. What I'd like to do is make the where statement fail if the sourcetype doesn't exist. Might be a better way to rewrite what I am trying to do which is essentially not use a join statement and use | stats instead
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
06-29-2018
03:01 PM
I'm starting by searching two indexes/sourcetypes
(index=1 and sourcetype=1) OR (index=2 and sourcetype=2)
Both have a few fields in common but I need to pull values from each sourcetype specifically.
sourcetype1 and sourcetype2 have 2 fields in common which I was using to join build_idx uqIDX.
Data always exists in the build sourcetype (sourcetype1) but only if the process has made it out of phase1 will it exist in sourcetype2. When I use stats to print fields from both sourcetypes, if an event does not exist in the second sourcetype then I get zero results.
Something like the below
index=1 sourcetype=1 OR index=2 sourcetype=2
|eval joinOn=coalesce(uqIDX,buildIDX)
|eval sourcetype1_value=if(isnull(sourcetype1_value),"0_no_build",sourcetype1_value)
|eval sourcetype2_value=if(isnull(sourcetype2_value),"Manual",sourcetype2_value)
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) by joinOn
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
