Splunk Search

How do I filter out results of a search AFTER the search?

ZacEsa
Communicator

Basically I have a search from multiple different sources with lots of raw rex field extractions and transactions and evals. Is it possible to filter out the results after all of those?

E.g. Only show results which fulfil ANY of the below criteria;

If eventcount>2 AND field1=somevaluehere
OR If eventcount>5 AND field1=anothervaluehere
OR If field2!=null()

I'm wondering if this can be done after all the search, rex, transaction, eval and all.

0 Karma
1 Solution

sundareshr
Legend

Sure you can. Try this

your base search | search (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)

*OR*

your base search | where (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)

View solution in original post

sundareshr
Legend

Sure you can. Try this

your base search | search (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)

*OR*

your base search | where (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)

ZacEsa
Communicator

Strangely, where doesn't work for me.

0 Karma

sundareshr
Legend

If you are using transaction, you will have to use mv functions for field1 & field 2. So try something like this

 your base search | where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)
0 Karma

ZacEsa
Communicator

I get the error below when I try to run where (eventcount>2 AND mvfind(field1, somevaluehere))

Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.

0 Karma

sundareshr
Legend

This is the where segment

| where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)

0 Karma

ZacEsa
Communicator

I've got it to start working but, I'm having a peculiar issue. When I use where ((acduser!="user1" OR acduser!="user2") AND rules="After Office Hours") it's still showing events which are "After Office Hours" AND if user is user1 or user2. From the above where, shouldn't it show "After Office Hours" if user is NOT user1 or user2?

0 Karma

ZacEsa
Communicator

Your first solution doesn't work too.

0 Karma

Runals
Motivator

Do you have a field called eventcount or is that field something you first need Splunk to calculate? The process both folks have provided (where or search) do work. The only difference might be

your base search | <your transforming & field extracting commands> | where blah blah blah
0 Karma

ZacEsa
Communicator

I believe one of my issue for where is that I have a concatenated field called rules. And the field doesn't use null() but instead, uses "" as when I use null(), the fields do not concatenate. So, where I try to use where rules!="", it doesn't work.

0 Karma

ZacEsa
Communicator

When you do a transaction, it becomes eventcount. I have no idea why neither works for me. Does where not work for fields extracted by rex? Also, I get this error when trying to run the suggestion after yours(see below comment.)

Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.

0 Karma

ddrillic
Ultra Champion

You should be able to do it with the | where command after your complex query, something like

| where (If eventcount>2 AND field1=somevaluehere) OR ....

ZacEsa
Communicator

Strangely, where doesn't work for me.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...