Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude invoices with ID = 350

vita86
Explorer
‎04-20-2020 01:00 PM

Hello,

I'm training on splunk, I need help.

I have an invoice list, extracted via this query : 

sourcetype="*_invoice" 
| where in (id,350,128,307)
| table id invoice ProductType

Result :
350 261313851 phone
128 261313851 screen
307 538601320 aquarium
.....

But I have to exclude invoice number 261313851 because it contains id = 350.

How can I do please ? foreach and condition if ? 

| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] 
| where status_invoice= "ok"?

Thank you in advance for your help.

Regards,
vita86

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2020 01:25 PM

If you take 350 out of the where clause then those IDs will not be included.

The foreach command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2020 06:13 AM

Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.

sourcetype="*_invoice" (id=350 OR id=128 OR id=307)
| stats values(*) as * by invoice
`comment("mvfind returns NULL if '350' is not found")`
| where isnull(mvfind(id, "350"))
| mvexpand id
| table id invoice ProductType
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-22-2020 07:12 AM

Thank you very much for your help and your explanation.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2020 05:05 AM

If your problem is resolved then please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-21-2020 12:32 AM

Hello richgalloway,

thanks for your answer.

if i remove 350 in the where clause, i will have this :
128 261313851 screen
307 538601320 aquarium

but this 261313851 invoice is not correct for me because it's contains too id = 350 so i want just :
307 538601320 aquarium
.......

How can i do please ?

Thank you very much for your help and your advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...