Splunk Search

How to use wildcard in search command where to compare values?

laudai
Path Finder

Hello guys

I have lots of columns such as test1 ,test1_up ,test1_down ,test2 ,test2_up, test2_down ,tmp1, tmp1_up, tmp1_down ....

I try this |where test* >test*_up AND test*<test*_down , but this is not works
should I use foreach or others command
please tell me for any suggest

Thanks you

0 Karma

niketn
Legend

@laudai, yes you can do this with foreach (I am sure there are other better ways as well)

Following is run anywhere search to generate Data

| makeresults
| eval test1=15
| eval test1_up=10
| eval test1_down=30
| eval test2=20
| eval test2_up=10
| eval test2_down=30
| eval counter_match=0
| eval counter_total=0
| eval test3=15
| eval test3_up=10
| eval test3_down=30
| eval test4=20
| eval test4_up=10
| eval test4_down=30

Following performs the check you are looking for

| foreach test*_* fieldstr="#field#" matchseg1="#matchseg1#" matchseg2="#matchseg2#" [eval flag#matchseg1#=case(test#matchseg1#>test#matchseg1#_up AND test#matchseg1#<test#matchseg1#_down,0,true(),1)]

Since you are looking for a filter based on where the condition is true or false, you can have additional logic to check the same

| eval counter_match=0
| eval counter_total=0
| foreach flag* [eval counter_match=counter_match+<<FIELD>>]
| foreach flag* [eval counter_total=counter_total+1]
| where counter_match=counter_total
| table test* flag* counter* 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

laudai
Path Finder

Thanks you , I will try later

0 Karma

ggssa2000
Explorer

if there is a field within test1, test1_up...etc,
you need to convert it to number format, then you can use the where function to decide what you want.

0 Karma

laudai
Path Finder

all columns are number
thanks you

0 Karma

adonio
Ultra Champion

hello there,
will say right away that i dont know the solution to your question. however, the where clause you are trying to use, is impossible, it calculates many fields to many other fields so here, for example, it takes test1 and trying to match to test1_up and test2_up etc. which create a contradiction and therefore no results.
can you elaborate on what are the results you are expecting of the search to produce?
also, is this a csv file? which each line / event has values of across all fields?
are you expecting a single event / value as a result?

0 Karma

laudai
Path Finder

hi adonio

field test1 match up test1_up and test_down , test2 match up test2_up and test_down, tmp1 match up tmp1_up and tmp1_down

If I use |where time_* > time_upper_*
you will get

Error in 'where' command: The expression is malformed. An unexpected character is reached at '> time_upper_*'.

what I expecting is like this

|where test1 > test1_up OR test1 < test1_down OR test2 > test2_up OR test2 < test2_down OR tmp1 > tmp1_up OR tmp1 < tmp1_down

yes , it's is csv file , I convert data to table that I can join another csv file
no, it will be a filter for command where, what I want to do is get a table which data are test1 test2 tmp1 ... columns are been filtered out

Thanks for you answer

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...