Splunk Search

How to perform the below condition in Splunk search?

dtccsundar
Path Finder

I have 3 date columns.I have already calculated the difference between current day and the diff is in days are the values in the 3 columns.  

Col1 Col2 Col3
12   7
2 34 45
15 25  
250 56 120
21    

Required filter :

- i have  to filter only days <=40 in all 3 columns.

- If a column has null and other 2 columns have values <=40 then they need to be shown

-if a column or 2 column has null and rest other column has value <=40 they need to displayed

-if a column is null and other column values are greater >40 then they need to removed from scope.

Please let me know the search .

 

 

Labels (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@dtccsundar 

Are you looking for this?

YOUR_SEARCH
|where (isnull(Col1) OR Col1="" OR Col1>40) OR ((isnull(Col2) OR Col2="" OR Col2>40)) OR (isnull(Col3) OR Col3="" OR Col3>40)

My Sample Search :

| makeresults 
| eval _raw="Col1	Col2	Col3
12	 	7
2	34	45
15	25	 
250	56	120
21	 	 " 
| multikv forceheader=1 
| table Col1 Col2 Col3 
| rename comment as "Upto now is for data only" 
| where (isnull(Col1) OR Col1="" OR Col1>40) OR ((isnull(Col2) OR Col2="" OR Col2>40)) OR (isnull(Col3) OR Col3="" OR Col3>40)


KV 

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @dtccsundar,

you have to create a filter like this:

<your search>
| fillnull value="-" Col1
| fillnull value="-" Col2
| fillnull value="-" Col3
| search 
   (Col1<=40 Col2<=40 Col3<=40) OR
   (Col1="-" Col2<=40 Col3<=40) OR
   (Col1<=40 Col2="-" Col3<=40) OR
   (Col1<=40 Col2<=40 Col3="-") OR
   (Col1="-" Col2="-" Col3<=40) OR 
   (Col1="-" Col2<=40 Col3="-") OR 
   (Col1<=40 Col2="-" Col3="-")

Ciao.

Giuseppe

0 Karma

dtccsundar
Path Finder

Thank you .

But by using this , the difference in days less than 40 days are also removed .

Kindly help me with this search.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dtccsundar,

let me understand: what do you mean with "by using this , the difference in days less than 40 days are also removed "?

I built your all the conditions you described, what are conditions removed?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...