Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I add where statement but only if somethin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
06-29-2018
01:48 PM
Hello experts,
I have a search that I am trying to add a where statement to which compares fieldvalueA to fieldvalueB. where statement works great but I'd like to only hit the where statement only if a specific field does not exist. Hope that makes sense
My search that currently works looks something like this
searchHere (index=xyz sourcetype=xxx) OR (index=yyy sourcetype=tttt)
|stats values(x) values(y) by fieldY
|where test1=test2
What I'd like to do is; if the second sourcetype does not return in the result-set then don't execute the where statement.
searchHere (index=xyz sourcetype=xxx) OR (index=yyy sourcetype=tttt)
|stats values(x) values(y) by fieldY
|where test1=test2 if(exists(sourcetype=ttt)
Pretty sure there's a better way to do that, hoping someone can point me in the right direction.
Cheers and thanks for the help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-29-2018
08:09 PM
You were so close!
(index="1" AND sourcetype="1") OR (index="2" sourcetype="2")
|eval joiner=coalesce(uqIDX, buildIDX, "JUSTINCASE")
|eval sourcetype1_value=if((sourcetype="1"), coalesce(sourcetype1_value, "0_no_build"), null())
|eval sourcetype2_value=if((sourcetype="2"), coalesce(sourcetype2_value, "Manual"), null())
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) BY joiner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-29-2018
08:09 PM
You were so close!
(index="1" AND sourcetype="1") OR (index="2" sourcetype="2")
|eval joiner=coalesce(uqIDX, buildIDX, "JUSTINCASE")
|eval sourcetype1_value=if((sourcetype="1"), coalesce(sourcetype1_value, "0_no_build"), null())
|eval sourcetype2_value=if((sourcetype="2"), coalesce(sourcetype2_value, "Manual"), null())
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) BY joiner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-29-2018
02:15 PM
So if there is no data coming from sourcetype=ttt (which will be aggregated by your stats if present), then do not apply any filter? If this is correct, give this a try
searchHere (index=xyz sourcetype=xxx) OR (index=yyy sourcetype=tttt)
|stats values(x) values(y) values(sourcetype) as sts by fieldY
|where test1=test2 AND isnotnull(mvfilter(match(sts,"tttt")))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
06-29-2018
02:52 PM
That worked but only if both tests matched. What I'd like to do is make the where statement fail if the sourcetype doesn't exist. Might be a better way to rewrite what I am trying to do which is essentially not use a join statement and use | stats instead
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker1981
Path Finder
06-29-2018
03:01 PM
I'm starting by searching two indexes/sourcetypes
(index=1 and sourcetype=1) OR (index=2 and sourcetype=2)
Both have a few fields in common but I need to pull values from each sourcetype specifically.
sourcetype1 and sourcetype2 have 2 fields in common which I was using to join build_idx uqIDX.
Data always exists in the build sourcetype (sourcetype1) but only if the process has made it out of phase1 will it exist in sourcetype2. When I use stats to print fields from both sourcetypes, if an event does not exist in the second sourcetype then I get zero results.
Something like the below
index=1 sourcetype=1 OR index=2 sourcetype=2
|eval joinOn=coalesce(uqIDX,buildIDX)
|eval sourcetype1_value=if(isnull(sourcetype1_value),"0_no_build",sourcetype1_value)
|eval sourcetype2_value=if(isnull(sourcetype2_value),"Manual",sourcetype2_value)
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) by joinOn
Get Updates on the Splunk Community!
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
The Visibility Gap: Hybrid Networks and IT Services
The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
