Splunk Search
Highlighted

where clause works only with reverse logic

Builder

I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.

So my question is why?

Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","TRUCK","CAR") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show

Results
Date       Time      Dealer         Type model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR  U        SmithCarSales.zip    
2014-05-01 00:42:21  Alltown GMC    CAR  A|C|O|U  AlltownCarSales.zip    
2014-05-01 00:43:41  Alltown GMC    CAR  A|C|O|U  AlltownCarPartsSupply.zip    
2014-05-01 00:44:01  Alltown GMC    CAR  A|C|O|U  AlltownRepairs.zip    
2014-05-01 00:44:21  Alltown GMC    CAR  A|C|O|U  AlltownRepairsSupply.zip    
2014-05-01 00:45:05  City Autoplex  CAR  A|C|U    CityAutoplexCarSales.zip    
2014-05-01 00:45:10  City Autoplex  CAR  A|C|U    CityAutoplexCarPartsSupply.zip   


Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","CAR","TRUCK") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show

Results
Date       Time      Dealer         Type    model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR     U        SmithCarSales.zip    
                     Smith Chevy    TRUCK   U    
2014-05-01 00:42:21  Alltown GMC    CAR     A|C|O|U  AlltownCarSales.zip   
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:43:41  Alltown GMC    CAR     A|C|O|U  AlltownCarPartsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:44:01  Alltown GMC    CAR     A|C|O|U  AlltownRepairs.zip   
                     Alltown GMC    TRUCK   A|C|O|U   
2014-05-01 00:44:21  Alltown GMC    CAR     A|C|O|U  AlltownRepairsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U  
2014-05-01 00:45:05  City Autoplex  CAR     A|C|U    CityAutoplexCarSales.zip  
                     City Autoplex  TRUCK   A|C|U    
2014-05-01 00:45:10  City Autoplex  CAR     A|C|U    CityAutoplexCarPartsSupply.zip  
                     City Autoplex  TRUCK   A|C|U    
0 Karma
Highlighted

Re: where clause works only with reverse logic

SplunkTrust
SplunkTrust

Can you add value of field 'showroom' in the output?

0 Karma
Highlighted

Re: where clause works only with reverse logic

Champion

Because it's not only Showroom , where like(model,"%U%") is also involved.

0 Karma
Highlighted

Re: where clause works only with reverse logic

Builder

But model is in both searches.

0 Karma
Highlighted

Re: where clause works only with reverse logic

Champion

but you are returning Truck rather than CAR! do you see same result before where in both searches? then how is it the same?

if true print a| where a=0

is not same as

if true print b |where a=0

0 Karma
Highlighted

Re: where clause works only with reverse logic

Splunk Employee
Splunk Employee

Does this work?

| where like(model,"%U%") | where showroom=show
0 Karma
Highlighted

Re: where clause works only with reverse logic

SplunkTrust
SplunkTrust

I guess its because of the Multivalue fields showroom. When show=TRUCK and showroom has following values.
1. showroom=CAR
2. showroom=CAR (multivalue)
TRUCK

showroom!=show will return first row.

but When show=CAR, condition showroom=show will return both since CAR is present in both.