Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When trying to filter results using where or eval, why am I not getting any results?

srichansen
Path Finder
‎03-09-2017 04:13 AM

Hi all,

I am trying to filter results based on information in two fields and am getting no result when I used the expression in a eval or where statement. My filter is

"Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y".

if I use it like this it returns results, 

index="chb" "Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y"

Using the above criteria in a eval or where statement as below, return no results.

index="chb" | stats count as totaal, count(if("Aanpassing motorisch beperkten"="Y" AND "Aanpassing visueel beperkten"="Y",1,0)) as toegankelijk

It seems to not see the field values in the statements. Any suggestions would be appreciated.

Regards
Simon

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-09-2017 07:43 AM

Updated to field name with special character to be in single quotes inside eval

@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.

index="chb" "Aanpassing motorisch beperkten"="*"  "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk  by WegbeheerderNaam 
| sort -totaal

Also following is run anywhere sample

|makeresults
| eval "Test 1"="Y" 
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-09-2017 07:43 AM

Updated to field name with special character to be in single quotes inside eval

@srichansen I know you have a working query, how about this query which does not require field rename? If the output is what you need, you can compare this and your query performance in the Job Inspector.

index="chb" "Aanpassing motorisch beperkten"="*"  "Aanpassing visueel beperkten"="*"
| stats count as totaal, count(eval('Aanpassing motorisch beperkten'="Y" AND 'Aanpassing visueel beperkten'="Y")) as toegankelijk  by WegbeheerderNaam 
| sort -totaal

Also following is run anywhere sample

|makeresults
| eval "Test 1"="Y" 
| eval "Test 2"="Y"
| stats count as Total, count(eval('Test 1'="Y" AND 'Test 2'="Y")) as Count by _time
| sort -Total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

srichansen
Path Finder
‎03-10-2017 07:26 AM

Hi niketnilay,

Thanks for the suggestion.

I tried the query and it also does not return any results. It still seems to not see the fields and value.

0 Karma
Reply
Solved! Jump to solution

srichansen
Path Finder
‎03-13-2017 01:38 AM

Works perfectly now.
It had to do with the single or double quotes in the eval or where statemants.

Thanks for the assistance!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-13-2017 03:02 AM

@srichansen... Anytime! Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-10-2017 12:15 PM

@srichansen... Sorry Field name inside eval should have been in single quotes. I miss typed as I was trying with other test names/values. I have updated my answer, can you please try once more?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

srichansen
Path Finder
‎03-09-2017 05:02 AM

After playing around with the search I finally managed to get results with a work around.

It seems to not like the long field names in a where or eval statement. This is what I got to work.

index="chb" | rename "Aanpassing motorisch beperkten" as motor, "Aanpassing visueel beperkten" as vis | stats count as totaal, count(eval(motor="Y" AND vis="Y")) as toegankelijk by WegbeheerderNaam | sort -totaal

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-09-2017 11:38 AM

Please mark your answer as accepted, or you can also accept niketnilay's answer, which avoids the rename, assuming that it works for you.

Personally, I avoid long names during the code and rename immediately before presentation, but that's a matter of personal taste and catering to laziness both of typing and reading.

0 Karma
Reply
Solved! Jump to solution

srichansen
Path Finder
‎03-10-2017 07:28 AM

I have not marked my answer as accepted as, although it get results, it does not answer why the long field names work as initial filter but not in a function and I was hoping someone would be able to explain it.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...