I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.
So my question is why?
Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299
| eval datType="car"
| eval show=if(datType="car","TRUCK","CAR")
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show
Results
Date Time Dealer Type model Report_File
2014-05-01 00:30:49 Smith Chevy CAR U SmithCarSales.zip
2014-05-01 00:42:21 Alltown GMC CAR A|C|O|U AlltownCarSales.zip
2014-05-01 00:43:41 Alltown GMC CAR A|C|O|U AlltownCarPartsSupply.zip
2014-05-01 00:44:01 Alltown GMC CAR A|C|O|U AlltownRepairs.zip
2014-05-01 00:44:21 Alltown GMC CAR A|C|O|U AlltownRepairsSupply.zip
2014-05-01 00:45:05 City Autoplex CAR A|C|U CityAutoplexCarSales.zip
2014-05-01 00:45:10 City Autoplex CAR A|C|U CityAutoplexCarPartsSupply.zip
Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299
| eval datType="car"
| eval show=if(datType="car","CAR","TRUCK")
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show
Results
Date Time Dealer Type model Report_File
2014-05-01 00:30:49 Smith Chevy CAR U SmithCarSales.zip
Smith Chevy TRUCK U
2014-05-01 00:42:21 Alltown GMC CAR A|C|O|U AlltownCarSales.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:43:41 Alltown GMC CAR A|C|O|U AlltownCarPartsSupply.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:44:01 Alltown GMC CAR A|C|O|U AlltownRepairs.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:44:21 Alltown GMC CAR A|C|O|U AlltownRepairsSupply.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:45:05 City Autoplex CAR A|C|U CityAutoplexCarSales.zip
City Autoplex TRUCK A|C|U
2014-05-01 00:45:10 City Autoplex CAR A|C|U CityAutoplexCarPartsSupply.zip
City Autoplex TRUCK A|C|U
I guess its because of the Multivalue fields showroom. When show=TRUCK and showroom has following values.
1. showroom=CAR
2. showroom=CAR (multivalue)
TRUCK
showroom!=show will return first row.
but When show=CAR, condition showroom=show will return both since CAR is present in both.
Does this work?
| where like(model,"%U%") | where showroom=show
Because it's not only Showroom , where like(model,"%U%") is also involved.
but you are returning Truck rather than CAR! do you see same result before where in both searches? then how is it the same?
if true print a| where a=0
is not same as
if true print b |where a=0
But model is in both searches.
Can you add value of field 'showroom' in the output?