Splunk Search

How do you specify a list in WHERE condition?

vaibhavvijay9
New Member

Hi All,

  • I want to display only results which are present in a given list (please see below) :

....... | xmlkv | stats count by "ApplicationFunction" | WHERE "ApplicationFunction" IN ("Price", "History", "Notify")

  • There are around 10 values that I want to filter out from 30-40 values. So the list specified in IN will have 10 values.
  • I want to create an overview dashboard (PieChart).

*Is this possible with Splunk? *

If yes, please help me. Otherwise, please specify any possible way to achieve the same.

Thanks in advance !

0 Karma
1 Solution

vishaltaneja070
Motivator

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")

View solution in original post

0 Karma

vishaltaneja070
Motivator

Hello @vaibhavvijay9

I think the issue is with double quotes if you mention field name in double quotes in where command then it will become a value which is causing issue in your case. Try this:

    ....... | xmlkv | stats count by ApplicationFunction | WHERE ApplicationFunction IN ("Price", "History", "Notify")
0 Karma

vaibhavvijay9
New Member

Thanks @vishaltaneja07011993

Actually my exact field name was "ns0:ApplicationFunction" so when I used it without quotes in WHERE it was resulting in error.

But I renamed it as app and it worked.

So my final working string is :

....... | xmlkv | rename ns0:ApplicationFunction as app | WHERE app IN ("Price", "History", "Notify") | stats count by app

Thanks Again.

0 Karma

vishaltaneja070
Motivator

@vaibhavvijay9

Great 🙂 Welcome 🙂

Good Luck

0 Karma

vishaltaneja070
Motivator

And also you can create a lookup of ApplicationFunction and try to filter from there as well. Like below
|stats count by ApplicationFunction | search [|inputlookup ApplicationFunction.csv]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...