Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude invoices with ID = 350

vita86
Explorer
‎04-20-2020 01:00 PM

Hello,

I'm training on splunk, I need help.

I have an invoice list, extracted via this query : 

sourcetype="*_invoice" 
| where in (id,350,128,307)
| table id invoice ProductType

Result :
350 261313851 phone
128 261313851 screen
307 538601320 aquarium
.....

But I have to exclude invoice number 261313851 because it contains id = 350.

How can I do please ? foreach and condition if ? 

| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] 
| where status_invoice= "ok"?

Thank you in advance for your help.

Regards,
vita86

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2020 01:25 PM

If you take 350 out of the where clause then those IDs will not be included.

The foreach command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2020 06:13 AM

Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.

sourcetype="*_invoice" (id=350 OR id=128 OR id=307)
| stats values(*) as * by invoice
`comment("mvfind returns NULL if '350' is not found")`
| where isnull(mvfind(id, "350"))
| mvexpand id
| table id invoice ProductType
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-22-2020 07:12 AM

Thank you very much for your help and your explanation.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2020 05:05 AM

If your problem is resolved then please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-21-2020 12:32 AM

Hello richgalloway,

thanks for your answer.

if i remove 350 in the where clause, i will have this :
128 261313851 screen
307 538601320 aquarium

but this 261313851 invoice is not correct for me because it's contains too id = 350 so i want just :
307 538601320 aquarium
.......

How can i do please ?

Thank you very much for your help and your advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...