Solved: command "where" not working

gitingua · ‎10-27-2021

the "where" command checks only one condition

doesn't work like that

my search:

. . . .

| where NOT (id_old = id OR user = username)

but there is a separate input, then everything works correctly.

help plz

isoutamo · ‎10-27-2021

I think that this

| where NOT (id_old = id OR user = username)

should be

| where (id_old != id AND user != username)

View solution in original post

isoutamo · ‎10-27-2021

Hi

you could use OR AND etc. with where as you can see on https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Where

Could it be that there is confusion with field name and constant? Search and where works different way with those. Please see docs and maybe this helps https://community.splunk.com/t5/All-Apps-and-Add-ons/Difference-between-WHERE-and-SEARCH-commands/m-...

There should be quite good explanation how those are differing, but I cannot find it now with google.

r. Ismo

vikramyadav · ‎10-27-2021

Hi @gitingua ,

I don't think so like this way where command gonna work. If you wanted to remove this (id_old = id OR user = username) field value pair then simply filter in your search.

eg:- index=test NOT (id_old = id OR user = username)

--------------------------------------

If this reply helps you, an upvote would be appreciated.

Namaste 😊

gitingua · ‎10-27-2021

@vikramyadav

| where id_old != id or username != user

that doesn't work either

isoutamo · ‎10-27-2021

You should use OR not or.

gitingua · ‎10-27-2021

tried it, no result

isoutamo · ‎10-27-2021

And those fields have values, not contains NULL? If needed add like (isnotnull(field1) AND isnotnull(field2)) AND field1 != field2

isoutamo · ‎10-27-2021

I think that this

| where NOT (id_old = id OR user = username)

should be

| where (id_old != id AND user != username)

gitingua · ‎10-27-2021

@vikramyadav These parameters are used as a check.

file.csv

user	id_old	info2
john	abcd	qwer

index = IndexName

username	id	info2
Aram	ghjk	qweiq

Condition, if the user is not found in the file, then write it to the file

the check is that if the id in index is not equal to id_old in file.csv, then it is added to the file with different values. or an event arrived in the index with a new user and after checking it is not in file.csv, then it is added to the file

example:

index="IndexName"
| table username, id, info2
| lookup file.csv user as username output id_old user
| where NOT (id_old = id or username = user) <- This line checks only one condition. if I put only one condition, it works correctly. And I need if one condition is true then check the following

@vikramyadav Help pls

vikramyadav · ‎10-27-2021

Hi @gitingua ,

try this

index="IndexName"
| table username, id, info2
| lookup file.csv user as username output id_old user
| eval newuser = (id_old ,username)
| where NOT newuser

Also, can you let me know exactly what output you are looking for?

--------------------------------------

If this reply helps you, an upvote would be appreciated.

Namaste 😊

command "where" not working

table

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!

Are you a member of the Splunk Community?

command "where" not working

table

Enterprise Security Content Update (ESCU) | New Releases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!