Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to perform the below condition in Splunk search?

dtccsundar
Path Finder
‎11-07-2022 09:10 AM

I have 3 date columns.I have already calculated the difference between current day and the diff is in days are the values in the 3 columns.  

Col1 Col2 Col3
12   7
2 34 45
15 25  
250 56 120
21    

Required filter :

- i have  to filter only days <=40 in all 3 columns.

- If a column has null and other 2 columns have values <=40 then they need to be shown

-if a column or 2 column has null and rest other column has value <=40 they need to displayed

-if a column is null and other column values are greater >40 then they need to removed from scope.

Please let me know the search .

 

 

Labels (1)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-08-2022 12:16 AM

@dtccsundar 

Are you looking for this?

YOUR_SEARCH
|where (isnull(Col1) OR Col1="" OR Col1>40) OR ((isnull(Col2) OR Col2="" OR Col2>40)) OR (isnull(Col3) OR Col3="" OR Col3>40)

My Sample Search :

| makeresults 
| eval _raw="Col1	Col2	Col3
12	 	7
2	34	45
15	25	 
250	56	120
21	 	 " 
| multikv forceheader=1 
| table Col1 Col2 Col3 
| rename comment as "Upto now is for data only" 
| where (isnull(Col1) OR Col1="" OR Col1>40) OR ((isnull(Col2) OR Col2="" OR Col2>40)) OR (isnull(Col3) OR Col3="" OR Col3>40)


KV 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 09:18 AM

HI @dtccsundar,

you have to create a filter like this:

<your search>
| fillnull value="-" Col1
| fillnull value="-" Col2
| fillnull value="-" Col3
| search 
   (Col1<=40 Col2<=40 Col3<=40) OR
   (Col1="-" Col2<=40 Col3<=40) OR
   (Col1<=40 Col2="-" Col3<=40) OR
   (Col1<=40 Col2<=40 Col3="-") OR
   (Col1="-" Col2="-" Col3<=40) OR 
   (Col1="-" Col2<=40 Col3="-") OR 
   (Col1<=40 Col2="-" Col3="-")

Ciao.

Giuseppe

0 Karma
Reply

dtccsundar
Path Finder
‎11-07-2022 10:34 PM

Thank you .

But by using this , the difference in days less than 40 days are also removed .

Kindly help me with this search.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 11:41 PM

Hi @dtccsundar,

let me understand: what do you mean with "by using this , the difference in days less than 40 days are also removed "?

I built your all the conditions you described, what are conditions removed?

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...