Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting where clause?

hantun
Loves-to-Learn Lots
‎04-24-2023 12:06 PM

I have a search where I am comparing two indexes for a matching cell and I am trying to filter where Business = 1X... here's the SPL:

index=csmp OR index=aws-business-map
| eval BindleNew = case(sourcetype="sim_csmp", AWSAccountName, sourcetype="csv", BindleName)
| stats values(IssueUrl), values(AWSAccountName) as AWSAccountName, values(BindleName), values(Business) by BindleNew
| search AWSAccountName!=""

I am unsure where to put Business-="1X" clause. 

Also, if we have more indexes like csmp that I am trying to compare to aws-business-map, how do we go about matching 4 indexes to aws-business-map?

Labels (2)
Labels
0 Karma
Reply

hantun
Loves-to-Learn Lots
‎04-25-2023 04:48 PM

Can we put that into a static function of a dropdown? If so, how should we go about it? 

I am building dashboard where we are counting the business

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2023 05:43 AM

Static values are pre-defined and cannot use search results.  It's the dynamic dropdowns that use searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2023 02:48 PM

This should answer the question

index=csmp OR index=aws-business-map
| eval BindleNew = case(sourcetype="sim_csmp", AWSAccountName, sourcetype="csv", BindleName)
| stats values(IssueUrl), values(AWSAccountName) as AWSAccountName, values(BindleName), values(Business) as Business by BindleNew
| search AWSAccountName!="" Business-="1X"

To add more indexes

index=csmp OR index=aws-business-map OR index=index3 OR index=index4
| eval BindleNew = case(sourcetype="sim_csmp", AWSAccountName, sourcetype="csv", BindleName, sourcetype="st3", foo, sourcetype="st4", bar)
| stats values(IssueUrl), values(AWSAccountName) as AWSAccountName, values(BindleName), values(Business) as Business by BindleNew
| search AWSAccountName!="" Business-="1X"

I believe it will not solve the problem, however.  That's because the values function returns a multi-value field that doesn't work well with many other commands.  Multi-value fields need to be processed with mv* functions (mvindex, mvfind, etc).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hantun
Loves-to-Learn Lots
‎04-25-2023 11:23 AM

index=csmp OR index=aws-business-map OR index=sim OR index=guardduty
| eval BindleNew = case(sourcetype="sim_csmp", AWSAccountName, sourcetype="csv", BindleName, sourcetype="sim_prod", WAWT2-BindleName, sourcetype="sim_prod", CloudTrail-AWSAccountName, sourcetype="sim_gd", AWSAccountId)
| stats values(IssueUrl), values(AWSAccountName) as AWSAccountName, values(BindleName), values(WAWT2-BindleName), values(CloudTrail-AWSAccountName), values(AWSAccountId), values(Business) as Business by BindleNew
| search AWSAccountName!="" Business="XP"

This is what I have for combination so far. Something to note is that CloudTrail-AWSAccountName, WAWT2-BindleName, BindleName, AWSAccountName are all the same data. Can we normalize them using Match?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-25-2023 01:07 PM

If those fields are all the same then there's no need for a case function.  Use the coalesce function to choose the first field that is present in the current event.

index=csmp OR index=aws-business-map OR index=sim OR index=guardduty
| eval BindleNew = lower(coalesce(AWSAccountName, BindleName, WAWT2-BindleName, CloudTrail-AWSAccountName, AWSAccountId))
| stats values(IssueUrl), values(AWSAccountName) as AWSAccountName, values(BindleName), values(WAWT2-BindleName), values(CloudTrail-AWSAccountName), values(AWSAccountId), values(Business) as Business by BindleNew
| search AWSAccountName!="" Business="XP"

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hantun
Loves-to-Learn Lots
‎04-27-2023 12:19 PM

How can we put that SPL query into a dynamic dropdown?

My project is looking for if the query spits out 1X, splunk gets all the events with the Business as 1X. If query is looking for 2X, gets all the events with Business as 2X. Then, I have dashboard panels that are doing counts etc depending on the dropdown.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2023 02:12 PM

Edit the dashboard and click on the edit icon for the dropdown.  Put the query into the search box in the Dynamic Options section.

richgalloway_0-1682629922266.png

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...