Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude invoices with ID = 350

vita86
Explorer
‎04-20-2020 01:00 PM

Hello,

I'm training on splunk, I need help.

I have an invoice list, extracted via this query : 

sourcetype="*_invoice" 
| where in (id,350,128,307)
| table id invoice ProductType

Result :
350 261313851 phone
128 261313851 screen
307 538601320 aquarium
.....

But I have to exclude invoice number 261313851 because it contains id = 350.

How can I do please ? foreach and condition if ? 

| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] 
| where status_invoice= "ok"?

Thank you in advance for your help.

Regards,
vita86

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2020 01:25 PM

If you take 350 out of the where clause then those IDs will not be included.

The foreach command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-21-2020 06:13 AM

Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.

sourcetype="*_invoice" (id=350 OR id=128 OR id=307)
| stats values(*) as * by invoice
`comment("mvfind returns NULL if '350' is not found")`
| where isnull(mvfind(id, "350"))
| mvexpand id
| table id invoice ProductType
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-22-2020 07:12 AM

Thank you very much for your help and your explanation.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2020 05:05 AM

If your problem is resolved then please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vita86
Explorer
‎04-21-2020 12:32 AM

Hello richgalloway,

thanks for your answer.

if i remove 350 in the where clause, i will have this :
128 261313851 screen
307 538601320 aquarium

but this 261313851 invoice is not correct for me because it's contains too id = 350 so i want just :
307 538601320 aquarium
.......

How can i do please ?

Thank you very much for your help and your advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...