Splunk Search

command "where" not working

gitingua
Communicator

the "where" command checks only one condition 

doesn't work like that

my search:

. . . . 

| where NOT (id_old = id OR user = username)

 

but there is a separate input, then everything works correctly.

help plz

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

I think that this 

| where NOT (id_old = id OR user = username)

should be 

| where (id_old != id AND user != username)

 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

you could use OR AND etc. with where as you can see on https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Where

Could it be that there is confusion with field name and constant? Search and where works different way with those. Please see docs and maybe this helps https://community.splunk.com/t5/All-Apps-and-Add-ons/Difference-between-WHERE-and-SEARCH-commands/m-...

There should be quite good explanation how those are differing, but I cannot find it now with google.

r. Ismo

0 Karma

vikramyadav
Contributor

Hi @gitingua ,

I don't think so like this way where command gonna work. If you wanted to remove this (id_old = id OR user = username) field value pair then simply filter in your search.

eg:- index=test NOT (id_old = id OR user = username)

-------------------------------------- 

If this reply helps you, an upvote would be appreciated.  

Namaste 😊  

0 Karma

gitingua
Communicator

@vikramyadav 

| where id_old != id or username != user

that doesn't work either

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You should use OR not or.
0 Karma

gitingua
Communicator

tried it, no result

0 Karma

isoutamo
SplunkTrust
SplunkTrust
And those fields have values, not contains NULL? If needed add like (isnotnull(field1) AND isnotnull(field2)) AND field1 != field2
0 Karma

isoutamo
SplunkTrust
SplunkTrust

I think that this 

| where NOT (id_old = id OR user = username)

should be 

| where (id_old != id AND user != username)

 

gitingua
Communicator

@vikramyadav These parameters are used as a check. 

file.csv 

userid_oldinfo2
johnabcdqwer

 

index = IndexName

usernameidinfo2
Aramghjkqweiq

 

Condition, if the user is not found in the file, then write it to the file 

the check is that if the id in index is not equal to id_old in file.csv, then it is added to the file with different values. or an event arrived in the index with a new user and after checking it is not in file.csv, then it is added to the file

 

example:

index="IndexName"
| table username, id, info2
| lookup file.csv user as username output id_old user
| where NOT (id_old = id or username = user) <- This line checks only one condition. if I put only one condition, it works correctly. And I need if one condition is true then check the following


@vikramyadav Help pls

0 Karma

vikramyadav
Contributor

Hi @gitingua ,

try this

index="IndexName"
| table username, id, info2
| lookup file.csv user as username output id_old user
| eval newuser = (id_old ,username)
| where NOT newuser

Also, can you let me know exactly what output you are looking for?

-------------------------------------- 

If this reply helps you, an upvote would be appreciated.  

Namaste 😊  

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...