Splunk Search

When trying to filter results using where or eval, why am I not getting any results?

srichansen
Path Finder

Hi all,

I am trying to filter results based on information in two fields and am getting no result when I used the expression in a eval or where statement. My filter is

"Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y".

if I use it like this it returns results,

index="chb" "Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y"

Using the above criteria in a eval or where statement as below, return no results.

index="chb" | stats count as totaal, count(if("Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y",1,0)) as toegankelijk

It seems to not see the field values in the statements. Any suggestions would be appreciated.

Regards
Simon

0 Karma
1 Solution

niketn
Legend

Updated to field name with special character to be in single quotes inside eval


@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.

index="chb" "Aanpassing motorisch beperkten"="*"  "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk  by WegbeheerderNaam 
| sort -totaal

Also following is run anywhere sample

|makeresults
| eval "Test 1"="Y" 
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Updated to field name with special character to be in single quotes inside eval


@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.

index="chb" "Aanpassing motorisch beperkten"="*"  "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk  by WegbeheerderNaam 
| sort -totaal

Also following is run anywhere sample

|makeresults
| eval "Test 1"="Y" 
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

srichansen
Path Finder

Hi niketnilay,

Thanks for the suggestion.

I tried the query and it also does not return any results. It still seems to not see the fields and value.

0 Karma

srichansen
Path Finder

Works perfectly now.
It had to do with the single or double quotes in the eval or where statemants.

Thanks for the assistance!

0 Karma

niketn
Legend

@srichansen... Anytime! Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@srichansen... Sorry Field name inside eval should have been in single quotes. I miss typed as I was trying with other test names/values. I have updated my answer, can you please try once more?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

srichansen
Path Finder

After playing around with the search I finally managed to get results with a work around.

It seems to not like the long field names in a where or eval statement. This is what I got to work.

index="chb" | rename "Aanpassing motorisch beperkten" as motor, "Aanpassing visueel beperkten" as vis | stats count as totaal, count(eval(motor="Y" AND vis="Y")) as toegankelijk by WegbeheerderNaam | sort -totaal

0 Karma

DalJeanis
Legend

Please mark your answer as accepted, or you can also accept niketnilay's answer, which avoids the rename, assuming that it works for you.

Personally, I avoid long names during the code and rename immediately before presentation, but that's a matter of personal taste and catering to laziness both of typing and reading.

0 Karma

srichansen
Path Finder

I have not marked my answer as accepted as, although it get results, it does not answer why the long field names work as initial filter but not in a function and I was hoping someone would be able to explain it.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...