Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to build a search using 4 different ad hoc searches

svemurilv
Path Finder
‎09-07-2017 10:31 AM

base-search earliest=-1h@m|
Desk
cli_attr="MOBILE_IND=N"

Mobile
cli_attr="MOBILE_IND=Y"

Emarketing
cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" PartnerCode=*

Non-Emarketing
cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" NOT PartnerCode=*

using these am trying to build a base search

|eval deskdev=if(cli_attr=="MOBILE_IND=N","MOBILE_IND=N",NULL)
|eval mobiledev=if(cli_attr!="MOBILE_IND=N","MOBILE_IND=N",NULL)
|eval eMarketing=if((cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND==Y") AND (PartnerCode=="") , "MOBILE_IND=Y",NULL)
|eval NoneMarketing=if((cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND=Y") AND (PartnerCode!=""),"MOBILE_IND=Y",NULL)

search not able to match the values with original, how would it possible.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-07-2017 09:56 PM

Like this:

base-search earliest=-1h@m
| stats count(eval(searchmatch("cli_attr=\"MOBILE_IND=N\""))) AS deskdev
        count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\""))) AS mobiledev
        count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\" OR cli_attr=\"MOBILE_IND=N\" PartnerCode=\"*\""))) AS eMarketing
        count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\" OR cli_attr=\"MOBILE_IND=N\" NOT PartnerCode=\"*\""))) AS NoneMarketing

It is hilarious but probably won't fly for you to call Non-eMarketing by None Marketing, kind of like a psychologist using therpaist.com.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-07-2017 10:56 AM

This should work. I recommend using null() instead of NULL, but that's not your issue.
Can you provide a sample event? Are you sure your field contents in the events are present and have the exact value you are looking for?

This run-anywhere search validates that your query is correct: | makeresults | eval cli_attr="MOBILE_IND=N" | eval deskdev=if(cli_attr=="MOBILE_IND=N","MOBILE_IND=N",null())

0 Karma
Reply

svemurilv
Path Finder
‎09-07-2017 11:23 AM

Am good with the Desktop and Mobile , but am not sure how to write the |eval condition for Emarketing and NonEmarketing. where i struck

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-07-2017 11:30 AM

This part (cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND==Y") makes no sense (it's always true), you may as well leave it out and just use PatnerCode

0 Karma
Reply

svemurilv
Path Finder
‎09-07-2017 11:32 AM

missing these ?

Emarketing
cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" PartnerCode=*

Non-Emarketing
cli_attr="MOBILE_IND=Y" OR cli_attr="MOBILE_IND=N" NOT PartnerCode=*

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-07-2017 11:54 AM

What values can cli_attr have other than MOBILE_IND=Y and MOBILE_IND=N?

Maybe we can help better if you verbally describe the conditions you want to test for and the resulting values for the eval'ed target field, as I am not clear on what you want your outcome to be.

0 Karma
Reply

svemurilv
Path Finder
‎09-07-2017 12:35 PM

here in the the search we have included a PartnerCode=* and NOT PartnerCode=* there 2 are the differences between emarketing and nonemarketing we should include that part also in the same |eval If condition for each

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...