I want to run a search but can't figure out what's the difference when I make changes to it using the 'where' clause
What's the difference between
...base search extension!=NULL|where Module="previewservice" | chart count by Module, FinalState
and
...base search |where Module="previewservice" AND extension!=NULL| chart count by Module, FinalState
The first one produces an output while the second one does not 😕
Your first search string is the more efficient of the two, as it's best to exclude as early as possible. However, to make the second example work, replace
And extension!=NULL
with
isnotnull(extension)
This is because where
uses eval
expressions, one of which is the function isnotnull
. In your second example extension!=NULL
is actually interpreted as <fieldA> is not equal to <fieldB>
(where <fieldB>
is a non-existent field called NULL).
For reference, see the documentation on Informational Functions (http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/InformationalFunctions)
Your first search string is the more efficient of the two, as it's best to exclude as early as possible. However, to make the second example work, replace
And extension!=NULL
with
isnotnull(extension)
This is because where
uses eval
expressions, one of which is the function isnotnull
. In your second example extension!=NULL
is actually interpreted as <fieldA> is not equal to <fieldB>
(where <fieldB>
is a non-existent field called NULL).
For reference, see the documentation on Informational Functions (http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/InformationalFunctions)
Salut! You Sir are a true genius!