Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to get values from multiple filters (not sure if that's correct terminology)

SSJMBP
New Member
‎05-27-2024 12:03 PM

Hey all,

I'm new to Splunk and only have basic knowledge of Python/Scripting and RegEx. 

I'm trying to build my hands-on skills right now by doing a job simulation on The Forage for the Commonwealth Bank
In the first part of the simulation we're required to pull multiple sets of data to create a dashboard with different charts to show fraud attempts by various data sets.

The one I'm stuck on is we're asked to pull a chart on "Which gender performed the most fraudulent activities and in what category?"

I'm trying to use:

sourcetype="fraud_detection.csv" fraud="1" gender="F'" gender="M'"
| stats count values(fraud) values(age) by category


but the search only accepts one gender argument, either gender="F'" or "M'", for some reason.  
I've tried using gender="M'" AND gender="F'", gender="F'" + gender="M'", gender="F' + M'" but I can't quite figure it out. 
I've looked into joining data but I'm not sure that's the solution I'm after?

Any help would be appreciated. 

Labels (4)
Labels
0 Karma
Reply

emdaax
Explorer
‎05-27-2024 03:36 PM

Hi @SSJMBP

you can use the IN operator when you want to determine if a field contains one of several values. This can make your search queries cleaner and easier to read.

 

For example, instead of using multiple OR conditions, you can use:

 

sourcetype="fraud_detection.csv" fraud="1" gender IN ("F", "M")

 

This ensures that the filter applies correctly to include events with either gender "F" or "M".

Ref: Search Reference 

 

Additionally, as already suggest by ITWhisperer, please try always to include a few anonymized example events. This makes it easier for all contributors to understand the dataset you are working with and provide more accurate support.

 

best regards,

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2024 03:23 PM

The filter applies to each event, so if you want to keep an event that has either M* or F*, you need to use OR e.g. 

sourcetype="fraud_detection.csv" fraud="1" (gender="F'" OR gender="M'")

I don't know your data but I am assuming the single quote is part of the gender field.

If not, it would be useful if you could share some anonymised events in a code block </> so we can see what it is that you are dealing with.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...