Hi All,
....... | xmlkv | stats count by "ApplicationFunction" | WHERE "ApplicationFunction" IN ("Price", "History", "Notify")
*Is this possible with Splunk? *
If yes, please help me. Otherwise, please specify any possible way to achieve the same.
Thanks in advance !
Hello @vaibhavvijay9
I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:
....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")
Hello @vaibhavvijay9
I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:
....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")
Thanks @vishaltaneja07011993
Actually my exact field name was "ns0:ApplicationFunction" so when I used it without quotes in WHERE it was resulting in error.
But I renamed it as app and it worked.
So my final working string is :
....... | xmlkv | rename ns0:ApplicationFunction as app | WHERE app IN ("Price", "History", "Notify") | stats count by app
Thanks Again.
@vaibhavvijay9
Great 🙂 Welcome 🙂
Good Luck
And also you can create a lookup of ApplicationFunction and try to filter from there as well. Like below
|stats count by ApplicationFunction | search [|inputlookup ApplicationFunction.csv]