Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to get values from multiple filters (not sure if that's correct terminology)

SSJMBP
New Member
‎05-27-2024 12:03 PM

Hey all,

I'm new to Splunk and only have basic knowledge of Python/Scripting and RegEx. 

I'm trying to build my hands-on skills right now by doing a job simulation on The Forage for the Commonwealth Bank
In the first part of the simulation we're required to pull multiple sets of data to create a dashboard with different charts to show fraud attempts by various data sets.

The one I'm stuck on is we're asked to pull a chart on "Which gender performed the most fraudulent activities and in what category?"

I'm trying to use:

sourcetype="fraud_detection.csv" fraud="1" gender="F'" gender="M'"
| stats count values(fraud) values(age) by category


but the search only accepts one gender argument, either gender="F'" or "M'", for some reason.  
I've tried using gender="M'" AND gender="F'", gender="F'" + gender="M'", gender="F' + M'" but I can't quite figure it out. 
I've looked into joining data but I'm not sure that's the solution I'm after?

Any help would be appreciated. 

Labels (4)
Labels
0 Karma
Reply

emdaax
Explorer
‎05-27-2024 03:36 PM

Hi @SSJMBP

you can use the IN operator when you want to determine if a field contains one of several values. This can make your search queries cleaner and easier to read.

 

For example, instead of using multiple OR conditions, you can use:

 

sourcetype="fraud_detection.csv" fraud="1" gender IN ("F", "M")

 

This ensures that the filter applies correctly to include events with either gender "F" or "M".

Ref: Search Reference 

 

Additionally, as already suggest by ITWhisperer, please try always to include a few anonymized example events. This makes it easier for all contributors to understand the dataset you are working with and provide more accurate support.

 

best regards,

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2024 03:23 PM

The filter applies to each event, so if you want to keep an event that has either M* or F*, you need to use OR e.g. 

sourcetype="fraud_detection.csv" fraud="1" (gender="F'" OR gender="M'")

I don't know your data but I am assuming the single quote is part of the gender field.

If not, it would be useful if you could share some anonymised events in a code block </> so we can see what it is that you are dealing with.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...