- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
Basically I have a search from multiple different sources with lots of raw rex field extractions and transactions and evals. Is it possible to filter out the results after all of those?
E.g. Only show results which fulfil ANY of the below criteria;
If eventcount>2 AND field1=somevaluehere
OR If eventcount>5 AND field1=anothervaluehere
OR If field2!=null()
I'm wondering if this can be done after all the search, rex, transaction, eval and all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![sundareshr sundareshr](https://community.splunk.com/legacyfs/online/avatars/344285.jpg)
Sure you can. Try this
your base search | search (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)
*OR*
your base search | where (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![sundareshr sundareshr](https://community.splunk.com/legacyfs/online/avatars/344285.jpg)
Sure you can. Try this
your base search | search (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)
*OR*
your base search | where (eventcount>2 AND field1=somevaluehere) OR (eventcount>5 AND field1=anothervaluehere) OR NOT (field2=*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
Strangely, where
doesn't work for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![sundareshr sundareshr](https://community.splunk.com/legacyfs/online/avatars/344285.jpg)
If you are using transaction, you will have to use mv functions for field1 & field 2. So try something like this
your base search | where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
I get the error below when I try to run where (eventcount>2 AND mvfind(field1, somevaluehere))
Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![sundareshr sundareshr](https://community.splunk.com/legacyfs/online/avatars/344285.jpg)
This is the where segment
| where (eventcount>2 AND mvfind(field1, somevaluehere)>=0) OR (eventcount>5 AND mvfind(field2, anothervalue)>=0) ) OR NOT (mvcount(field2)>0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
I've got it to start working but, I'm having a peculiar issue. When I use where ((acduser!="user1" OR acduser!="user2") AND rules="After Office Hours")
it's still showing events which are "After Office Hours" AND if user is user1 or user2. From the above where, shouldn't it show "After Office Hours" if user is NOT user1 or user2?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
Your first solution doesn't work too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a field called eventcount or is that field something you first need Splunk to calculate? The process both folks have provided (where or search) do work. The only difference might be
your base search | <your transforming & field extracting commands> | where blah blah blah
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
I believe one of my issue for where is that I have a concatenated field called rules. And the field doesn't use null() but instead, uses "" as when I use null(), the fields do not concatenate. So, where I try to use where rules!=""
, it doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
When you do a transaction, it becomes eventcount. I have no idea why neither works for me. Does where not work for fields extracted by rex? Also, I get this error when trying to run the suggestion after yours(see below comment.)
Error in 'where' command: Typechecking failed. 'AND' only takes boolean arguments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do it with the | where
command after your complex query, something like
| where (If eventcount>2 AND field1=somevaluehere) OR ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ZacEsa ZacEsa](https://community.splunk.com/legacyfs/online/avatars/425386.jpg)
Strangely, where
doesn't work for me.
![](/skins/images/53C7C94B4DD15F7CACC6D77B9B4D55BF/responsive_peak/images/icon_anonymous_message.png)