Splunk Search

How to exclude invoices with ID = 350

vita86
Explorer

Hello,

I'm training on splunk, I need help.

I have an invoice list, extracted via this query :

sourcetype="*_invoice" 
| where in (id,350,128,307)
| table id invoice ProductType 

Result :
350 261313851 phone
128 261313851 screen
307 538601320 aquarium

.....

But I have to exclude invoice number 261313851 because it contains id = 350.

How can I do please ? foreach and condition if ?

| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] 
| where status_invoice= "ok"? 

Thank you in advance for your help.

Regards,
vita86

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you take 350 out of the where clause then those IDs will not be included.

The foreach command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.

sourcetype="*_invoice" (id=350 OR id=128 OR id=307)
| stats values(*) as * by invoice
`comment("mvfind returns NULL if '350' is not found")`
| where isnull(mvfind(id, "350"))
| mvexpand id
| table id invoice ProductType
---
If this reply helps you, Karma would be appreciated.
0 Karma

vita86
Explorer

Thank you very much for your help and your explanation.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved then please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vita86
Explorer

Hello richgalloway,

thanks for your answer.

if i remove 350 in the where clause, i will have this :
128 261313851 screen
307 538601320 aquarium

but this 261313851 invoice is not correct for me because it's contains too id = 350 so i want just :
307 538601320 aquarium
.......

How can i do please ?

Thank you very much for your help and your advice.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...