Splunk Search
Highlighted

When trying to filter results using where or eval, why am I not getting any results?

Path Finder

Hi all,

I am trying to filter results based on information in two fields and am getting no result when I used the expression in a eval or where statement. My filter is

"Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y".

if I use it like this it returns results,

index="chb" "Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y"

Using the above criteria in a eval or where statement as below, return no results.

index="chb" | stats count as totaal, count(if("Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y",1,0)) as toegankelijk

It seems to not see the field values in the statements. Any suggestions would be appreciated.

Regards
Simon

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Path Finder

After playing around with the search I finally managed to get results with a work around.

It seems to not like the long field names in a where or eval statement. This is what I got to work.

index="chb" | rename "Aanpassing motorisch beperkten" as motor, "Aanpassing visueel beperkten" as vis | stats count as totaal, count(eval(motor="Y" AND vis="Y")) as toegankelijk by WegbeheerderNaam | sort -totaal

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

SplunkTrust
SplunkTrust

Please mark your answer as accepted, or you can also accept niketnilay's answer, which avoids the rename, assuming that it works for you.

Personally, I avoid long names during the code and rename immediately before presentation, but that's a matter of personal taste and catering to laziness both of typing and reading.

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Path Finder

I have not marked my answer as accepted as, although it get results, it does not answer why the long field names work as initial filter but not in a function and I was hoping someone would be able to explain it.

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Legend

Updated to field name with special character to be in single quotes inside eval


@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.

index="chb" "Aanpassing motorisch beperkten"="*"  "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk  by WegbeheerderNaam 
| sort -totaal

Also following is run anywhere sample

|makeresults
| eval "Test 1"="Y" 
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total



| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Path Finder

Hi niketnilay,

Thanks for the suggestion.

I tried the query and it also does not return any results. It still seems to not see the fields and value.

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Legend

@srichansen... Sorry Field name inside eval should have been in single quotes. I miss typed as I was trying with other test names/values. I have updated my answer, can you please try once more?




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Path Finder

Works perfectly now.
It had to do with the single or double quotes in the eval or where statemants.

Thanks for the assistance!

0 Karma
Highlighted

Re: When trying to filter results using where or eval, why am I not getting any results?

Legend

@srichansen... Anytime! Glad it worked 🙂




| eval message="Happy Splunking!!!"


0 Karma