Splunk Search

How do you specify a list in WHERE condition?

vaibhavvijay9
New Member

Hi All,

  • I want to display only results which are present in a given list (please see below) :

....... | xmlkv | stats count by "ApplicationFunction" | WHERE "ApplicationFunction" IN ("Price", "History", "Notify")

  • There are around 10 values that I want to filter out from 30-40 values. So the list specified in IN will have 10 values.
  • I want to create an overview dashboard (PieChart).

*Is this possible with Splunk? *

If yes, please help me. Otherwise, please specify any possible way to achieve the same.

Thanks in advance !

0 Karma
1 Solution

vishaltaneja070
Motivator

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")

View solution in original post

0 Karma

vishaltaneja070
Motivator

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")
0 Karma

vaibhavvijay9
New Member

Thanks @vishaltaneja07011993

Actually my exact field name was "ns0:ApplicationFunction" so when I used it without quotes in WHERE it was resulting in error.

But I renamed it as app and it worked.

So my final working string is :

....... | xmlkv | rename ns0:ApplicationFunction as app | WHERE app IN ("Price", "History", "Notify") | stats count by app

Thanks Again.

0 Karma

vishaltaneja070
Motivator

@vaibhavvijay9

Great 🙂 Welcome 🙂

Good Luck

0 Karma

vishaltaneja070
Motivator

And also you can create a lookup of ApplicationFunction and try to filter from there as well. Like below
|stats count by ApplicationFunction | search [|inputlookup ApplicationFunction.csv]

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...