Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering

smanojkumar
Communicator
‎01-30-2024 05:35 AM

Hi Splunkers,

  I dont need the value in first line and need that value later in search to filter, so I tried tis way to skip the value
dmz

type IN (if($machine$=="DMZ",true,$machine$)



Is that will work?

Thanks in Advance!


Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2024 07:00 AM

The IN operator expects a parenthesized list of values.  The if function is not valid in the search command so, no this will not work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

smanojkumar
Communicator
‎01-30-2024 11:29 PM

Hi @richgalloway ,
   Thanks for your response!
   I'm using this search in the macro definition, i want this to be fixed any possible ways of tweak this command to make it working.

I need that value in later part of this search, I just need to skip at this moment.

Thanks in Advance!
Manoj Kumar S

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-30-2024 11:47 PM

It's not clear what your data is and what you want to get from it.

But as general rule - you can't remove something from your data and process it later. At every pipe in your pipeline you have only the data you got from earliest steps.

So for example if you do:

index=myindex
| fields - source
| eval sourcematch=if(source="mysource",1,0)

The field sourcematch in your results will always be 0, because you remove the field "source" from your resulting events so you can't rely on it to calculate something in further steps on your processing pipeline.

0 Karma
Reply

smanojkumar
Communicator
‎01-31-2024 01:55 AM

Hi @PickleRick ,

   I don't want to remove the value, I just want to skip for that instance only if DMZ is passed as token value, when other values are passed, the condition needs to be there,
   I'm having a value from dashboard input dropdown to macro, where I need the condition to skip when DMZ is passed. 
  

Thanks in Advance!
Manoj Kumar S

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 02:07 AM

What do you mean by "skip"?

0 Karma
Reply

smanojkumar
Communicator
‎01-31-2024 02:10 AM

Hi @PickleRick ,
   I don't want that condition to be considered, Its a multiselect value, when some other values are passed along with this, its working but when DMZ alone is passed, its not working, because in type, we don't categorized dmz, so we weren't use that value, so I want to skip only for that value, is that possible.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 02:14 AM

For conditional evaluations you can use if() or case() functions with the eval command.

I still don't understand what you want to "not consider". You want to return values not matching a filter? Evaluate a field only for some subset of events? Something else?

A multiselect is a widget in a dashboard. You're posting this in Splunk Search section. What's the connection between one and the other? Please post some sample of events (anonymized if needed), desired outcome and additional conditions affecting the search (like this multisearch).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...