Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert eval into search using AND...

Raj_Splunk_Ing
Explorer
‎10-11-2024 09:29 AM

Hi All,

i have this calculation and at the end iam using where to get only what i need. splunk suggests that put this into search

index= xyz
AND source=abc
AND sourcetype=S1
AND client="BOFA"
AND
status_code -- how do i get this to get only the status codes that are 
>=199 and <300  --> these belong to  my success bucket
>=499                      --> These belong to my error bucket



| eval Derived_Status_Code=

case(

status_code>=199 and status_code<300,"Success",
status_code>=499,"Errors",
1=1,"Others"  ``` I do not need anything that is not in the above conditions
)
|Table <>
|Where Derived_Status_Code IN ("Errors',"Success")


I want to avoid where and get this into search using AND

Thank you so much for your time


0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 11:03 AM

You can simply do

...  ((status_code>=199 status_code<300) OR (status_code>=499))

 

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Explorer
‎10-11-2024 12:46 PM

figured out.. my column name had one upper case letter in it.....i think i need to slowdown from the Splunk..ing excitement 🙂😀

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:52 PM

Ahh... you found out yourself what I've just wrote you 🙂

Good job.

Remember that case matters in field names. It might matter or not for field values depending on how you're using the condition.

something | search a=b

will match whenever field a has value of either b or B

But

something | where a="B"

will match only upper-case B.

0 Karma
Reply
Solved! Jump to solution

Raj_Splunk_Ing
Explorer
‎10-11-2024 11:58 AM

tired both of the below... i only see errors which are  >=499..for some reason i dont see the success ones
none of the 200 or showing...something is wrong

AND ((status_code>=199 status_Code<300) OR (status_code>=499) )  - understand that there is an implied AND in it

 

AND ((status_code>=199 AND status_Code<300) OR (status_code>=499) )  --explicit AND mentioned

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:48 PM

Case matters for field names so if you indeed use

status_Code<300

when the field is named

status_code

it won't match

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top