Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

comparing two string doesn't work

rezaeimo
Explorer
‎07-12-2023 06:42 PM

i have a search query and i want to add another condition to check the url if test!=staging. the first test is coming as a parameter and could be test, staging or prod. i've done following query but test!=staging part doesn't work and not returning as true. 

 

 

index="my_index"
AND (test!=staging OR "Properties.URL"="*stg*")
source=Payments

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rezaeimo
Explorer
‎07-16-2023 11:29 PM

great idea to use rename, thanks for that. . didn't worked with search but i've used rename and where and it got it working. here is what worked for me.

index="my_index"
source=Payments
|rename "Properties.URL" as Url 
|where ("#{name}"!="staging" OR Url like "%stg%")

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rezaeimo
Explorer
‎07-16-2023 04:40 PM

i've used where key word like the following. now the first condition works but the second condition doesn't work. name is a parameter that could be test, staging or prod. do you have any idea why the second condition doesn't work?

index="my_index"
source=Payments
|where ("#{name}"!="staging" OR "Properties.URL" like "%stg%")

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-16-2023 11:21 PM

You're comparing two strings which will never match.

You need to use single quotes for the field name

'Properties.URL' like "%stg%"
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2023 11:01 PM

Hi @rezaeimo ,

I'm not sure about the conditions you used and sometimes the dot in the field name gives problems, so please try this:

index="my_index" source=Payments
| rename Properties.URL AS URL
| search ("test"!="staging" OR URL like "%stg%")

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

rezaeimo
Explorer
‎07-16-2023 11:29 PM

great idea to use rename, thanks for that. . didn't worked with search but i've used rename and where and it got it working. here is what worked for me.

index="my_index"
source=Payments
|rename "Properties.URL" as Url 
|where ("#{name}"!="staging" OR Url like "%stg%")

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 12:18 AM

Hi @rezaeimo,

as I said, this is a frequent issue that I don't understand why someone in Splunk doesn't resolve!

Anyway, 

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 12:32 AM

That's not a real issue. If you have field names consisting of more than just alphanumeric characters, you use single quotes to define them. In fact you can use the single quotes every time, it's just that with "simple" field names you can omit them.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2023 11:22 PM

Hi @rezaeimo,

you could try using quotes for the staging value:

index="my_index" (test!="staging" OR "Properties.URL"="*stg*") source=Payments

or you could try the other conditions: it's alwayes beter to use positive condition than negative ones:

index="my_index" (test IN ("test","prod") OR "Properties.URL"="*stg*") source=Payments

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

rezaeimo
Explorer
‎07-13-2023 06:42 PM

for me the fix was to use where keyword.

index="my_index"
source=Payments
|search ("test" !="staging" OR "Properties.URL"="*stg*")
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2023 11:32 PM

Hi @rezaeimo,

you don't need to use the search command after the main search, this ommand is used only if you have to use a field not defined in the main search.

in addition you don't need to use quotes for fields without spaces or special chars.

Ciao,.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top