Splunk Search

How to exclude invoices with ID = 350

vita86
Explorer

Hello,

I'm training on splunk, I need help.

I have an invoice list, extracted via this query :

sourcetype="*_invoice" 
| where in (id,350,128,307)
| table id invoice ProductType 

Result :
350 261313851 phone
128 261313851 screen
307 538601320 aquarium

.....

But I have to exclude invoice number 261313851 because it contains id = 350.

How can I do please ? foreach and condition if ?

| Foreach invoice [eval status_invoice=if(id!=350, "ok", "ko")] 
| where status_invoice= "ok"? 

Thank you in advance for your help.

Regards,
vita86

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you take 350 out of the where clause then those IDs will not be included.

The foreach command iterates over the fields in a single event. Otherwise, commands iterate over each event returned by the previous command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for clarifying the problem. See if this helps. It groups the events by invoice then filters out those invoices that have id=350. Then the group is broken up and the results displayed.

sourcetype="*_invoice" (id=350 OR id=128 OR id=307)
| stats values(*) as * by invoice
`comment("mvfind returns NULL if '350' is not found")`
| where isnull(mvfind(id, "350"))
| mvexpand id
| table id invoice ProductType
---
If this reply helps you, Karma would be appreciated.
0 Karma

vita86
Explorer

Thank you very much for your help and your explanation.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved then please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vita86
Explorer

Hello richgalloway,

thanks for your answer.

if i remove 350 in the where clause, i will have this :
128 261313851 screen
307 538601320 aquarium

but this 261313851 invoice is not correct for me because it's contains too id = 350 so i want just :
307 538601320 aquarium
.......

How can i do please ?

Thank you very much for your help and your advice.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...