Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert eval into search using AND...

Raj_Splunk_Ing
Explorer
‎10-11-2024 09:29 AM

Hi All,

i have this calculation and at the end iam using where to get only what i need. splunk suggests that put this into search

index= xyz
AND source=abc
AND sourcetype=S1
AND client="BOFA"
AND
status_code -- how do i get this to get only the status codes that are 
>=199 and <300  --> these belong to  my success bucket
>=499                      --> These belong to my error bucket



| eval Derived_Status_Code=

case(

status_code>=199 and status_code<300,"Success",
status_code>=499,"Errors",
1=1,"Others"  ``` I do not need anything that is not in the above conditions
)
|Table <>
|Where Derived_Status_Code IN ("Errors',"Success")


I want to avoid where and get this into search using AND

Thank you so much for your time


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Explorer
‎10-11-2024 12:46 PM

figured out.. my column name had one upper case letter in it.....i think i need to slowdown from the Splunk..ing excitement 🙂😀

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:52 PM

Ahh... you found out yourself what I've just wrote you 🙂

Good job.

Remember that case matters in field names. It might matter or not for field values depending on how you're using the condition.

something | search a=b

will match whenever field a has value of either b or B

But

something | where a="B"

will match only upper-case B.

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Explorer
‎10-11-2024 11:58 AM

tired both of the below... i only see errors which are  >=499..for some reason i dont see the success ones
none of the 200 or showing...something is wrong

AND ((status_code>=199 status_Code<300) OR (status_code>=499) )  - understand that there is an implied AND in it

 

AND ((status_code>=199 AND status_Code<300) OR (status_code>=499) )  --explicit AND mentioned

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:48 PM

Case matters for field names so if you indeed use

status_Code<300

when the field is named

status_code

it won't match

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...