Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you specify a list in WHERE condition?

vaibhavvijay9
New Member
‎02-07-2019 11:03 PM

Hi All,

  • I want to display only results which are present in a given list (please see below) :

....... | xmlkv | stats count by "ApplicationFunction" | WHERE "ApplicationFunction" IN ("Price", "History", "Notify")

  • There are around 10 values that I want to filter out from 30-40 values. So the list specified in IN will have 10 values.
  • I want to create an overview dashboard (PieChart).

*Is this possible with Splunk? *

If yes, please help me. Otherwise, please specify any possible way to achieve the same.

Thanks in advance !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎02-07-2019 11:10 PM

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎02-07-2019 11:10 PM

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")
0 Karma
Reply
Solved! Jump to solution

vaibhavvijay9
New Member
‎02-07-2019 11:49 PM

Thanks @vishaltaneja07011993

Actually my exact field name was "ns0:ApplicationFunction" so when I used it without quotes in WHERE it was resulting in error.

But I renamed it as app and it worked.

So my final working string is :

....... | xmlkv | rename ns0:ApplicationFunction as app | WHERE app IN ("Price", "History", "Notify") | stats count by app

Thanks Again.

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎02-07-2019 11:55 PM

@vaibhavvijay9

Great 🙂 Welcome 🙂

Good Luck

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎02-07-2019 11:12 PM

And also you can create a lookup of ApplicationFunction and try to filter from there as well. Like below
|stats count by ApplicationFunction | search [|inputlookup ApplicationFunction.csv]

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...