Splunk Search

where clause works only with reverse logic

kmattern
Builder

I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.

So my question is why?

Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","TRUCK","CAR") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show

Results
Date       Time      Dealer         Type model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR  U        SmithCarSales.zip    
2014-05-01 00:42:21  Alltown GMC    CAR  A|C|O|U  AlltownCarSales.zip    
2014-05-01 00:43:41  Alltown GMC    CAR  A|C|O|U  AlltownCarPartsSupply.zip    
2014-05-01 00:44:01  Alltown GMC    CAR  A|C|O|U  AlltownRepairs.zip    
2014-05-01 00:44:21  Alltown GMC    CAR  A|C|O|U  AlltownRepairsSupply.zip    
2014-05-01 00:45:05  City Autoplex  CAR  A|C|U    CityAutoplexCarSales.zip    
2014-05-01 00:45:10  City Autoplex  CAR  A|C|U    CityAutoplexCarPartsSupply.zip   


Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","CAR","TRUCK") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show

Results
Date       Time      Dealer         Type    model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR     U        SmithCarSales.zip    
                     Smith Chevy    TRUCK   U    
2014-05-01 00:42:21  Alltown GMC    CAR     A|C|O|U  AlltownCarSales.zip   
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:43:41  Alltown GMC    CAR     A|C|O|U  AlltownCarPartsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:44:01  Alltown GMC    CAR     A|C|O|U  AlltownRepairs.zip   
                     Alltown GMC    TRUCK   A|C|O|U   
2014-05-01 00:44:21  Alltown GMC    CAR     A|C|O|U  AlltownRepairsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U  
2014-05-01 00:45:05  City Autoplex  CAR     A|C|U    CityAutoplexCarSales.zip  
                     City Autoplex  TRUCK   A|C|U    
2014-05-01 00:45:10  City Autoplex  CAR     A|C|U    CityAutoplexCarPartsSupply.zip  
                     City Autoplex  TRUCK   A|C|U    
0 Karma

somesoni2
Revered Legend

I guess its because of the Multivalue fields showroom. When show=TRUCK and showroom has following values.
1. showroom=CAR
2. showroom=CAR (multivalue)
TRUCK

showroom!=show will return first row.

but When show=CAR, condition showroom=show will return both since CAR is present in both.

araitz
Splunk Employee
Splunk Employee

Does this work?

| where like(model,"%U%") | where showroom=show
0 Karma

linu1988
Champion

Because it's not only Showroom , where like(model,"%U%") is also involved.

0 Karma

linu1988
Champion

but you are returning Truck rather than CAR! do you see same result before where in both searches? then how is it the same?

if true print a| where a=0

is not same as

if true print b |where a=0

0 Karma

kmattern
Builder

But model is in both searches.

0 Karma

somesoni2
Revered Legend

Can you add value of field 'showroom' in the output?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...