Unable to filter based on 2 fields- Help with synt...

POR160893 · ‎11-23-2022

Hey, I have a big query and I need to have a command on the query that would filter all Asset_State!="Development" OR Asset_State!="Pre-Production", bit for ONLY Asset_Environment!="PKI AND Offline" Status="2".

If tried the following command:
| if( Asset_Environment!="PKI AND Offline" Status="2".,search NOT (Asset_State!="Development" OR Asset_State!="Pre-Production"))

I know the syntax is wrong, can you help ?
Many thanks

gcusello · ‎11-23-2022

Hi @POR160893,

you canoot insert an if conditon in a search, it's possible to use if only in eval command, but you could use something like this, to adapt to your situation:

if you want to exclude events with Asset_State!="Development" OR Asset_State!="Pre-Production", bit for ONLY Asset_Environment!="PKI AND Offline" Status="2":

...
| search NOT ((Asset_State!="Development" OR Asset_State!="Pre-Production") Asset_Environment!="PKI Offline_Status=2)

Ciao.
Giuseppe

Unable to filter based on 2 fields- Help with syntax

data model

saved search

scheduled search

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?