Search syntax help

kenntun · ‎05-11-2020

I import csv files structure like following

A Last Login Region Disable

abc@abc.com 3/23 18:00 HK No
tbc@tbc.com NULL USA Yes

I would like to make 1 chart with the following
1. Last Login != NULL AND Disable != Yes
Timechat as Region
2. Last Login = NULL AND Disable != NO
Timechat as Region

index=* source="/u01/testing.csv" sourcetype="365csv" | where "Last Login"!=NULL AND "Disable!="YES" | stats count by region

shivanshu1593 · ‎05-11-2020

Since there are two different condition, there'll be 2 different SPL, in my opinion. Try these and see if they might help you. In the span part, you can specify the span as per your needs. I also hope that index=* was done for obfuscating the name of the index, if not, then please specify the name of the Index, when you run this search in your environment.

First SPL:

index=* source="/u01/testing.csv" sourcetype="365csv" | where NOT "Last Login"=NULL AND Disable="YES" | timechart span=1d count by region

Second SPL:

index=* source="/u01/testing.csv" sourcetype="365csv" | search "Last Login"=NULL AND Disable!="NO" | timechart span=1d count by region

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Search syntax help

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Search syntax help

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES