Re: where clause works only with reverse logic

kmattern · ‎05-15-2014

I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.

So my question is why?

Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","TRUCK","CAR") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show

Results
Date       Time      Dealer         Type model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR  U        SmithCarSales.zip    
2014-05-01 00:42:21  Alltown GMC    CAR  A|C|O|U  AlltownCarSales.zip    
2014-05-01 00:43:41  Alltown GMC    CAR  A|C|O|U  AlltownCarPartsSupply.zip    
2014-05-01 00:44:01  Alltown GMC    CAR  A|C|O|U  AlltownRepairs.zip    
2014-05-01 00:44:21  Alltown GMC    CAR  A|C|O|U  AlltownRepairsSupply.zip    
2014-05-01 00:45:05  City Autoplex  CAR  A|C|U    CityAutoplexCarSales.zip    
2014-05-01 00:45:10  City Autoplex  CAR  A|C|U    CityAutoplexCarPartsSupply.zip   


Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","CAR","TRUCK") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show

Results
Date       Time      Dealer         Type    model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR     U        SmithCarSales.zip    
                     Smith Chevy    TRUCK   U    
2014-05-01 00:42:21  Alltown GMC    CAR     A|C|O|U  AlltownCarSales.zip   
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:43:41  Alltown GMC    CAR     A|C|O|U  AlltownCarPartsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:44:01  Alltown GMC    CAR     A|C|O|U  AlltownRepairs.zip   
                     Alltown GMC    TRUCK   A|C|O|U   
2014-05-01 00:44:21  Alltown GMC    CAR     A|C|O|U  AlltownRepairsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U  
2014-05-01 00:45:05  City Autoplex  CAR     A|C|U    CityAutoplexCarSales.zip  
                     City Autoplex  TRUCK   A|C|U    
2014-05-01 00:45:10  City Autoplex  CAR     A|C|U    CityAutoplexCarPartsSupply.zip  
                     City Autoplex  TRUCK   A|C|U

somesoni2 · ‎05-15-2014

I guess its because of the Multivalue fields showroom. When show=TRUCK and showroom has following values.
1. showroom=CAR
2. showroom=CAR (multivalue)
TRUCK

showroom!=show will return first row.

but When show=CAR, condition showroom=show will return both since CAR is present in both.

araitz · ‎05-15-2014

Does this work?

| where like(model,"%U%") | where showroom=show

linu1988 · ‎05-15-2014

Because it's not only Showroom , where like(model,"%U%") is also involved.

linu1988 · ‎05-15-2014

but you are returning Truck rather than CAR! do you see same result before where in both searches? then how is it the same?

if true print a| where a=0

is not same as

if true print b |where a=0

kmattern · ‎05-15-2014

But model is in both searches.

somesoni2 · ‎05-15-2014

Can you add value of field 'showroom' in the output?

where clause works only with reverse logic

Starting With Observability: OpenTelemetry Best Practices

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Streamline Data Ingestion With Deployment Server Essentials