Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trying to understand the where clause better + can spaces be in the variable name used for the where clause

HattrickNZ
Motivator
‎07-15-2015 04:00 PM

my query looks like

stats max(KPI1) as "Traffic of Sessions Answered (Erl)" max(KPI2) as "Traffic of Sessions Connected (Erl)" max(c1907466993) as "Traffic of Sessions Seized (Erl)" by SBC_TGN_TGID | where "Traffic of Sessions Answered (Erl)" > 0

but this does not work, get an error, as it does not seem to like this naming format "Traffic of Sessions Answered (Erl)"

But if i do it like below it works, i get a table with no Zeron values.

stats max(KPI1) as "Traffic" max(KPI2) as "Traffic of Sessions Connected (Erl)" max(KPI3) as "Traffic of Sessions Seized (Erl)" by SBC_TGN_TGID | where Traffic > 0

So it likes this: where Traffic > 0

But it will not like this: where Traffic > 0

It basically does not like names that are inside double quotes.

Can someone explain this to me? And is there a way I can keep the name as it is (i.e. with spaces)

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HattrickNZ
Motivator
‎07-15-2015 04:05 PM

I have to use single quotes to get it to work

| where 'Traffic of Sessions Answered' > 0

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-16-2015 05:37 AM

You can also use dollar signs:

| where $Traffic of Sessions Answered$ > 0
Reply
Solved! Jump to solution
Solution

HattrickNZ
Motivator
‎07-15-2015 04:05 PM

I have to use single quotes to get it to work

| where 'Traffic of Sessions Answered' > 0

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-15-2015 04:11 PM

exactly 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...