Solved: trying to understand the where clause better + can...

HattrickNZ · ‎07-15-2015

my query looks like

stats max(KPI1) as "Traffic of Sessions Answered (Erl)" max(KPI2) as "Traffic of Sessions Connected (Erl)" max(c1907466993) as "Traffic of Sessions Seized (Erl)" by SBC_TGN_TGID | where "Traffic of Sessions Answered (Erl)" > 0

but this does not work, get an error, as it does not seem to like this naming format "Traffic of Sessions Answered (Erl)"

But if i do it like below it works, i get a table with no Zeron values.

stats max(KPI1) as "Traffic" max(KPI2) as "Traffic of Sessions Connected (Erl)" max(KPI3) as "Traffic of Sessions Seized (Erl)" by SBC_TGN_TGID | where Traffic > 0

So it likes this: where Traffic > 0

But it will not like this: where Traffic > 0

It basically does not like names that are inside double quotes.

Can someone explain this to me? And is there a way I can keep the name as it is (i.e. with spaces)

HattrickNZ · ‎07-15-2015

I have to use single quotes to get it to work

| where 'Traffic of Sessions Answered' > 0

View solution in original post

woodcock · ‎07-16-2015

You can also use dollar signs:

| where $Traffic of Sessions Answered$ > 0

HattrickNZ · ‎07-15-2015

I have to use single quotes to get it to work

| where 'Traffic of Sessions Answered' > 0

MuS · ‎07-15-2015

exactly 😉

trying to understand the where clause better + can spaces be in the variable name used for the where clause

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!