Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude invoices with ID = 350

vita86
Explorer
‎04-20-2020 01:00 PM

Hello,

I'm training on splunk, I need help.

I have an invoice list, extracted via this query : 

sourcetype="*_invoice" 
| where in (id,350,128,307)
| table id invoice ProductType

Result :
350 261313851 phone
128 261313851 screen
307 538601320 aquarium
.....

But I have to exclude invoice number 261313851 because it contains id = 350.

How can I do please ? foreach and condition if ? 

| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] 
| where status_invoice= "ok"?

Thank you in advance for your help.

Regards,
vita86

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2020 01:25 PM

If you take 350 out of the where clause then those IDs will not be included.

The foreach command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2020 06:13 AM

Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.

sourcetype="*_invoice" (id=350 OR id=128 OR id=307)
| stats values(*) as * by invoice
`comment("mvfind returns NULL if '350' is not found")`
| where isnull(mvfind(id, "350"))
| mvexpand id
| table id invoice ProductType
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-22-2020 07:12 AM

Thank you very much for your help and your explanation.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2020 05:05 AM

If your problem is resolved then please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-21-2020 12:32 AM

Hello richgalloway,

thanks for your answer.

if i remove 350 in the where clause, i will have this :
128 261313851 screen
307 538601320 aquarium

but this 261313851 invoice is not correct for me because it's contains too id = 350 so i want just :
307 538601320 aquarium
.......

How can i do please ?

Thank you very much for your help and your advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...