Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to exculde data in search by using lookup data

renuka
Path Finder
‎06-01-2021 11:35 PM

Hello All

"Good Day"

index="aedc"
| rex field=source "-_(?<source>\S+)"
| rex "(?<ModuleID>MY\d+)"
| rex "(?<Path>/F.\s\S+\s\S+\s\S+\s\S+\s\S{5})"
|search"source"="*" MY22 "CRS_ASIL"="*" *
|rename "TC_D2_Test Result" as Result, TC_D2_Execution_date as verified_Date,"CRS__TestType" as TestType
| rename CRS__implementation_phase as CRS_IP, "TC_Test Result" as result
| eval verified_Date=if((verified_Date == "Attr not found : D2_Execution_date"),null(),verified_Date)
|eval Date=strptime(verified_Date, "%a %d %B %Y %H:%M:%S")|eval date=if(Date>1604600000.000000 OR Date>1602000000.000000,Date,0)
| eval First_Date=verified_Date, sortstring="~"
|eval date=if(Date>1604600000.000000 OR Date>1602000000.000000 ,Date,0)
| append
[|inputlookup DoorsMappingwithDatenopartial.csv |append[| inputlookup DoorsMappingNoDate.csv
|where bPartialResultsEnabled="FALSE"]]
| stats count(eval(Path="/F. System Testing/System Functional Test Cases")) as "Functional Total",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND date=Date ,Result))) as "Functional Test Conducted",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND Result="Pass" OR Result="PASS" AND date=Date,Result))) as "Functional Pass",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases"AND Result="Fail" OR Result="FAIL" AND date=Date,Result))) as "Functional Fail" by "CRS_Customer Requirement Identifier"
|eventstats sum("Functional Total") as Functional_Total,sum("Functional Test Conducted") as "Functional Test Conducted",sum("Functional Pass") as "Functional Pass",sum("Functional Fail") as "Functional Fail"|table Functional_Total,"Functional Test Conducted","Functional Pass","Functional Fail"

Above is my query in the query i am trying to add condition using lookup files 
Condition is if bPartialResultsEnabled is False we should consider date in functional count if it is true we should not consider date

I tried all possible ways ,I know

Please help me out..

Thank you in advance

Labels (5)
Labels
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...