Splunk Search
Highlighted

How to build a search using 4 different ad hoc searches

Path Finder

base-search earliest=-1h@m|
Desk
cliattr="MOBILEIND=N"

Mobile
cliattr="MOBILEIND=Y"

Emarketing
cliattr="MOBILEIND=Y" OR cliattr="MOBILEIND=N" PartnerCode=*

Non-Emarketing
cliattr="MOBILEIND=Y" OR cliattr="MOBILEIND=N" NOT PartnerCode=*

using these am trying to build a base search

|eval deskdev=if(cliattr=="MOBILEIND=N","MOBILEIND=N",NULL)
|eval mobiledev=if(cli
attr!="MOBILEIND=N","MOBILEIND=N",NULL)
|eval eMarketing=if((cliattr=="MOBILEIND=Y") OR (cliattr!="MOBILEIND==Y") AND (PartnerCode=="") , "MOBILEIND=Y",NULL)
|eval NoneMarketing=if((cli
attr=="MOBILEIND=Y") OR (cliattr!="MOBILE_IND=Y") AND (PartnerCode!="
"),"MOBILE_IND=Y",NULL)

search not able to match the values with original, how would it possible.

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Splunk Employee
Splunk Employee

This should work. I recommend using null() instead of NULL, but that's not your issue.
Can you provide a sample event? Are you sure your field contents in the events are present and have the exact value you are looking for?

This run-anywhere search validates that your query is correct: | makeresults | eval cli_attr="MOBILE_IND=N" | eval deskdev=if(cli_attr=="MOBILE_IND=N","MOBILE_IND=N",null())

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Path Finder

Am good with the Desktop and Mobile , but am not sure how to write the |eval condition for Emarketing and NonEmarketing. where i struck

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Splunk Employee
Splunk Employee

This part (cli_attr=="MOBILE_IND=Y") OR (cli_attr!="MOBILE_IND==Y") makes no sense (it's always true), you may as well leave it out and just use PatnerCode

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Path Finder

missing these ?

Emarketing
cliattr="MOBILEIND=Y" OR cliattr="MOBILEIND=N" PartnerCode=*

Non-Emarketing
cliattr="MOBILEIND=Y" OR cliattr="MOBILEIND=N" NOT PartnerCode=*

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Splunk Employee
Splunk Employee

What values can cliattr have other than MOBILEIND=Y and MOBILE_IND=N?

Maybe we can help better if you verbally describe the conditions you want to test for and the resulting values for the eval'ed target field, as I am not clear on what you want your outcome to be.

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Path Finder

here in the the search we have included a PartnerCode=* and NOT PartnerCode=* there 2 are the differences between emarketing and nonemarketing we should include that part also in the same |eval If condition for each

0 Karma
Highlighted

Re: How to build a search using 4 different ad hoc searches

Esteemed Legend

Like this:

base-search earliest=-1h@m
| stats count(eval(searchmatch("cli_attr=\"MOBILE_IND=N\""))) AS deskdev
        count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\""))) AS mobiledev
        count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\" OR cli_attr=\"MOBILE_IND=N\" PartnerCode=\"*\""))) AS eMarketing
        count(eval(searchmatch("cli_attr=\"MOBILE_IND=Y\" OR cli_attr=\"MOBILE_IND=N\" NOT PartnerCode=\"*\""))) AS NoneMarketing

It is hilarious but probably won't fly for you to call Non-eMarketing by None Marketing, kind of like a psychologist using therpaist.com.

0 Karma