Using a rex value in where statement

msarro · ‎03-09-2012

Hey everyone. In my data's filename there is an indicator which indicates the type of data that it is. It can either be "eu" or "cabs."
I am currently running into issues with this search:

index=cms| rex field=source "/home/cemp/CEMP/(?<EUORCABS>eu|cabs)/.*"|where EUORCABS=eu

It won't run. I have verified that the EUORCABS column is successfully created by running this search:

index=cms| rex field=source "/home/cemp/CEMP/(?<EUORCABS>eu|cabs)/.*"|table EUORCABS

All records have either a value of "eu" or "cabs" (without quotes). I have also tried casting it to a string, but no luck.

Am I missing something obvious here, or is splunk not searching properly?

Lowell · ‎03-09-2012

I think the issue is with your "where" clause:

... | where EUORCABS=eu

This is evaluating the values of fields EUORCABS and eu. That's not what you want to do.

Either use

... | where EUORCABS="eu"

or

... | search EUORCABS=eu

Kate_Lawrence-G · ‎03-09-2012

Hmm..

have you tried a stats values(EUORCABS) AS and then tried the where on that field?

Using a rex value in where statement

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation

Using a rex value in where statement

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard