where clause works only with reverse logic

kmattern · ‎05-15-2014

I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.

So my question is why?

Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","TRUCK","CAR") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show

Results
Date       Time      Dealer         Type model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR  U        SmithCarSales.zip    
2014-05-01 00:42:21  Alltown GMC    CAR  A|C|O|U  AlltownCarSales.zip    
2014-05-01 00:43:41  Alltown GMC    CAR  A|C|O|U  AlltownCarPartsSupply.zip    
2014-05-01 00:44:01  Alltown GMC    CAR  A|C|O|U  AlltownRepairs.zip    
2014-05-01 00:44:21  Alltown GMC    CAR  A|C|O|U  AlltownRepairsSupply.zip    
2014-05-01 00:45:05  City Autoplex  CAR  A|C|U    CityAutoplexCarSales.zip    
2014-05-01 00:45:10  City Autoplex  CAR  A|C|U    CityAutoplexCarPartsSupply.zip   


Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299    
| eval datType="car" 
| eval show=if(datType="car","CAR","TRUCK") 
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show

Results
Date       Time      Dealer         Type    model    Report_File
2014-05-01 00:30:49  Smith Chevy    CAR     U        SmithCarSales.zip    
                     Smith Chevy    TRUCK   U    
2014-05-01 00:42:21  Alltown GMC    CAR     A|C|O|U  AlltownCarSales.zip   
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:43:41  Alltown GMC    CAR     A|C|O|U  AlltownCarPartsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U    
2014-05-01 00:44:01  Alltown GMC    CAR     A|C|O|U  AlltownRepairs.zip   
                     Alltown GMC    TRUCK   A|C|O|U   
2014-05-01 00:44:21  Alltown GMC    CAR     A|C|O|U  AlltownRepairsSupply.zip    
                     Alltown GMC    TRUCK   A|C|O|U  
2014-05-01 00:45:05  City Autoplex  CAR     A|C|U    CityAutoplexCarSales.zip  
                     City Autoplex  TRUCK   A|C|U    
2014-05-01 00:45:10  City Autoplex  CAR     A|C|U    CityAutoplexCarPartsSupply.zip  
                     City Autoplex  TRUCK   A|C|U

somesoni2 · ‎05-15-2014

I guess its because of the Multivalue fields showroom. When show=TRUCK and showroom has following values.
1. showroom=CAR
2. showroom=CAR (multivalue)
TRUCK

showroom!=show will return first row.

but When show=CAR, condition showroom=show will return both since CAR is present in both.

araitz · ‎05-15-2014

Does this work?

| where like(model,"%U%") | where showroom=show

linu1988 · ‎05-15-2014

Because it's not only Showroom , where like(model,"%U%") is also involved.

linu1988 · ‎05-15-2014

but you are returning Truck rather than CAR! do you see same result before where in both searches? then how is it the same?

if true print a| where a=0

is not same as

if true print b |where a=0

kmattern · ‎05-15-2014

But model is in both searches.

somesoni2 · ‎05-15-2014

Can you add value of field 'showroom' in the output?

where clause works only with reverse logic

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms