Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you specify a list in WHERE condition?

vaibhavvijay9
New Member
‎02-07-2019 11:03 PM

Hi All,

  • I want to display only results which are present in a given list (please see below) :

....... | xmlkv | stats count by "ApplicationFunction" | WHERE "ApplicationFunction" IN ("Price", "History", "Notify")

  • There are around 10 values that I want to filter out from 30-40 values. So the list specified in IN will have 10 values.
  • I want to create an overview dashboard (PieChart).

*Is this possible with Splunk? *

If yes, please help me. Otherwise, please specify any possible way to achieve the same.

Thanks in advance !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎02-07-2019 11:10 PM

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎02-07-2019 11:10 PM

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")
0 Karma
Reply
Solved! Jump to solution

vaibhavvijay9
New Member
‎02-07-2019 11:49 PM

Thanks @vishaltaneja07011993

Actually my exact field name was "ns0:ApplicationFunction" so when I used it without quotes in WHERE it was resulting in error.

But I renamed it as app and it worked.

So my final working string is :

....... | xmlkv | rename ns0:ApplicationFunction as app | WHERE app IN ("Price", "History", "Notify") | stats count by app

Thanks Again.

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎02-07-2019 11:55 PM

@vaibhavvijay9

Great 🙂 Welcome 🙂

Good Luck

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎02-07-2019 11:12 PM

And also you can create a lookup of ApplicationFunction and try to filter from there as well. Like below
|stats count by ApplicationFunction | search [|inputlookup ApplicationFunction.csv]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...