Using a rex value in where statement

msarro · ‎03-09-2012

Hey everyone. In my data's filename there is an indicator which indicates the type of data that it is. It can either be "eu" or "cabs."
I am currently running into issues with this search:

index=cms| rex field=source "/home/cemp/CEMP/(?<EUORCABS>eu|cabs)/.*"|where EUORCABS=eu

It won't run. I have verified that the EUORCABS column is successfully created by running this search:

index=cms| rex field=source "/home/cemp/CEMP/(?<EUORCABS>eu|cabs)/.*"|table EUORCABS

All records have either a value of "eu" or "cabs" (without quotes). I have also tried casting it to a string, but no luck.

Am I missing something obvious here, or is splunk not searching properly?

Lowell · ‎03-09-2012

I think the issue is with your "where" clause:

... | where EUORCABS=eu

This is evaluating the values of fields EUORCABS and eu. That's not what you want to do.

Either use

... | where EUORCABS="eu"

or

... | search EUORCABS=eu

Kate_Lawrence-G · ‎03-09-2012

Hmm..

have you tried a stats values(EUORCABS) AS and then tried the where on that field?

Using a rex value in where statement

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Using a rex value in where statement

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25