Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert eval into search using AND...

Raj_Splunk_Ing
Path Finder
‎10-11-2024 09:29 AM

Hi All,

i have this calculation and at the end iam using where to get only what i need. splunk suggests that put this into search

index= xyz
AND source=abc
AND sourcetype=S1
AND client="BOFA"
AND
status_code -- how do i get this to get only the status codes that are 
>=199 and <300  --> these belong to  my success bucket
>=499                      --> These belong to my error bucket



| eval Derived_Status_Code=

case(

status_code>=199 and status_code<300,"Success",
status_code>=499,"Errors",
1=1,"Others"  ``` I do not need anything that is not in the above conditions
)
|Table <>
|Where Derived_Status_Code IN ("Errors',"Success")


I want to avoid where and get this into search using AND

Thank you so much for your time


0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Path Finder
‎10-11-2024 12:46 PM

figured out.. my column name had one upper case letter in it.....i think i need to slowdown from the Splunk..ing excitement 🙂😀

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:52 PM

Ahh... you found out yourself what I've just wrote you 🙂

Good job.

Remember that case matters in field names. It might matter or not for field values depending on how you're using the condition.

something | search a=b

will match whenever field a has value of either b or B

But

something | where a="B"

will match only upper-case B.

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Path Finder
‎10-11-2024 11:58 AM

tired both of the below... i only see errors which are  >=499..for some reason i dont see the success ones
none of the 200 or showing...something is wrong

AND ((status_code>=199 status_Code<300) OR (status_code>=499) )  - understand that there is an implied AND in it

 

AND ((status_code>=199 AND status_Code<300) OR (status_code>=499) )  --explicit AND mentioned

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:48 PM

Case matters for field names so if you indeed use

status_Code<300

when the field is named

status_code

it won't match

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...