Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

where clause works only with reverse logic

kmattern
Builder
‎05-15-2014 10:12 AM

I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.

So my question is why?

Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","TRUCK","CAR") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show

Results
Date       Time      Dealer         Type model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR  U        SmithCarSales.zip    
2014-05-01 00:42:21  Alltown GMC    CAR  A|C|O|U  AlltownCarSales.zip    
2014-05-01 00:43:41  Alltown GMC    CAR  A|C|O|U  AlltownCarPartsSupply.zip    
2014-05-01 00:44:01  Alltown GMC    CAR  A|C|O|U  AlltownRepairs.zip    
2014-05-01 00:44:21  Alltown GMC    CAR  A|C|O|U  AlltownRepairsSupply.zip    
2014-05-01 00:45:05  City Autoplex  CAR  A|C|U    CityAutoplexCarSales.zip    
2014-05-01 00:45:10  City Autoplex  CAR  A|C|U    CityAutoplexCarPartsSupply.zip   


Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","CAR","TRUCK") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show

Results
Date       Time      Dealer         Type    model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR     U        SmithCarSales.zip    
                     Smith Chevy    TRUCK   U    
2014-05-01 00:42:21  Alltown GMC    CAR     A|C|O|U  AlltownCarSales.zip   
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:43:41  Alltown GMC    CAR     A|C|O|U  AlltownCarPartsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:44:01  Alltown GMC    CAR     A|C|O|U  AlltownRepairs.zip   
                     Alltown GMC    TRUCK   A|C|O|U   
2014-05-01 00:44:21  Alltown GMC    CAR     A|C|O|U  AlltownRepairsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U  
2014-05-01 00:45:05  City Autoplex  CAR     A|C|U    CityAutoplexCarSales.zip  
                     City Autoplex  TRUCK   A|C|U    
2014-05-01 00:45:10  City Autoplex  CAR     A|C|U    CityAutoplexCarPartsSupply.zip  
                     City Autoplex  TRUCK   A|C|U
0 Karma
Reply

somesoni2
Revered Legend
‎05-15-2014 10:55 AM

I guess its because of the Multivalue fields showroom. When show=TRUCK and showroom has following values.
1. showroom=CAR
2. showroom=CAR (multivalue)
TRUCK

showroom!=show will return first row.

but When show=CAR, condition showroom=show will return both since CAR is present in both.

Reply

araitz
Splunk Employee
Splunk Employee
‎05-15-2014 10:51 AM

Does this work?

| where like(model,"%U%") | where showroom=show
0 Karma
Reply

linu1988
Champion
‎05-15-2014 10:36 AM

Because it's not only Showroom , where like(model,"%U%") is also involved.

0 Karma
Reply

linu1988
Champion
‎05-15-2014 12:34 PM

but you are returning Truck rather than CAR! do you see same result before where in both searches? then how is it the same?

if true print a| where a=0

is not same as

if true print b |where a=0

0 Karma
Reply

kmattern
Builder
‎05-15-2014 10:46 AM

But model is in both searches.

0 Karma
Reply

somesoni2
Revered Legend
‎05-15-2014 10:35 AM

Can you add value of field 'showroom' in the output?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...