Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert eval into search using AND...

Raj_Splunk_Ing
Path Finder
‎10-11-2024 09:29 AM

Hi All,

i have this calculation and at the end iam using where to get only what i need. splunk suggests that put this into search

index= xyz
AND source=abc
AND sourcetype=S1
AND client="BOFA"
AND
status_code -- how do i get this to get only the status codes that are 
>=199 and <300  --> these belong to  my success bucket
>=499                      --> These belong to my error bucket



| eval Derived_Status_Code=

case(

status_code>=199 and status_code<300,"Success",
status_code>=499,"Errors",
1=1,"Others"  ``` I do not need anything that is not in the above conditions
)
|Table <>
|Where Derived_Status_Code IN ("Errors',"Success")


I want to avoid where and get this into search using AND

Thank you so much for your time


0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Path Finder
‎10-11-2024 12:46 PM

figured out.. my column name had one upper case letter in it.....i think i need to slowdown from the Splunk..ing excitement 🙂😀

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:52 PM

Ahh... you found out yourself what I've just wrote you 🙂

Good job.

Remember that case matters in field names. It might matter or not for field values depending on how you're using the condition.

something | search a=b

will match whenever field a has value of either b or B

But

something | where a="B"

will match only upper-case B.

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Path Finder
‎10-11-2024 11:58 AM

tired both of the below... i only see errors which are  >=499..for some reason i dont see the success ones
none of the 200 or showing...something is wrong

AND ((status_code>=199 status_Code<300) OR (status_code>=499) )  - understand that there is an implied AND in it

 

AND ((status_code>=199 AND status_Code<300) OR (status_code>=499) )  --explicit AND mentioned

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:48 PM

Case matters for field names so if you indeed use

status_Code<300

when the field is named

status_code

it won't match

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top