Hi all,
I am trying to filter results based on information in two fields and am getting no result when I used the expression in a eval or where statement. My filter is
"Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y".
if I use it like this it returns results,
index="chb" "Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y"
Using the above criteria in a eval or where statement as below, return no results.
index="chb" | stats count as totaal, count(if("Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y",1,0)) as toegankelijk
It seems to not see the field values in the statements. Any suggestions would be appreciated.
Regards
Simon
Updated to field name with special character to be in single quotes inside eval
@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.
index="chb" "Aanpassing motorisch beperkten"="*" "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk by WegbeheerderNaam
| sort -totaal
Also following is run anywhere sample
|makeresults
| eval "Test 1"="Y"
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total
Updated to field name with special character to be in single quotes inside eval
@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.
index="chb" "Aanpassing motorisch beperkten"="*" "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk by WegbeheerderNaam
| sort -totaal
Also following is run anywhere sample
|makeresults
| eval "Test 1"="Y"
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total
Hi niketnilay,
Thanks for the suggestion.
I tried the query and it also does not return any results. It still seems to not see the fields and value.
Works perfectly now.
It had to do with the single or double quotes in the eval or where statemants.
Thanks for the assistance!
@srichansen... Anytime! Glad it worked 🙂
@srichansen... Sorry Field name inside eval should have been in single quotes. I miss typed as I was trying with other test names/values. I have updated my answer, can you please try once more?
After playing around with the search I finally managed to get results with a work around.
It seems to not like the long field names in a where or eval statement. This is what I got to work.
index="chb" | rename "Aanpassing motorisch beperkten" as motor, "Aanpassing visueel beperkten" as vis | stats count as totaal, count(eval(motor="Y" AND vis="Y")) as toegankelijk by WegbeheerderNaam | sort -totaal
Please mark your answer as accepted, or you can also accept niketnilay's answer, which avoids the rename, assuming that it works for you.
Personally, I avoid long names during the code and rename immediately before presentation, but that's a matter of personal taste and catering to laziness both of typing and reading.
I have not marked my answer as accepted as, although it get results, it does not answer why the long field names work as initial filter but not in a function and I was hoping someone would be able to explain it.