Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert eval into search using AND...

Raj_Splunk_Ing
Path Finder
‎10-11-2024 09:29 AM

Hi All,

i have this calculation and at the end iam using where to get only what i need. splunk suggests that put this into search

index= xyz
AND source=abc
AND sourcetype=S1
AND client="BOFA"
AND
status_code -- how do i get this to get only the status codes that are 
>=199 and <300  --> these belong to  my success bucket
>=499                      --> These belong to my error bucket



| eval Derived_Status_Code=

case(

status_code>=199 and status_code<300,"Success",
status_code>=499,"Errors",
1=1,"Others"  ``` I do not need anything that is not in the above conditions
)
|Table <>
|Where Derived_Status_Code IN ("Errors',"Success")


I want to avoid where and get this into search using AND

Thank you so much for your time


0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Path Finder
‎10-11-2024 12:46 PM

figured out.. my column name had one upper case letter in it.....i think i need to slowdown from the Splunk..ing excitement 🙂😀

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:52 PM

Ahh... you found out yourself what I've just wrote you 🙂

Good job.

Remember that case matters in field names. It might matter or not for field values depending on how you're using the condition.

something | search a=b

will match whenever field a has value of either b or B

But

something | where a="B"

will match only upper-case B.

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Path Finder
‎10-11-2024 11:58 AM

tired both of the below... i only see errors which are  >=499..for some reason i dont see the success ones
none of the 200 or showing...something is wrong

AND ((status_code>=199 status_Code<300) OR (status_code>=499) )  - understand that there is an implied AND in it

 

AND ((status_code>=199 AND status_Code<300) OR (status_code>=499) )  --explicit AND mentioned

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:48 PM

Case matters for field names so if you indeed use

status_Code<300

when the field is named

status_code

it won't match

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...