stackoom
  简体   繁体   中英

How to use where clause in my search string in Splunk Enterprise

 原文  2020-08-06 15:25:40       splunk/ splunk-query/ splunk-sdk/ splunk-formula

Question

I have a search string like below:

index=qrp STAGE IN (ORDER_EVENT) | bucket _time span=1h | timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | fillnull value=0

And this is currently giving me aggregates of trades for multiple source systems from the stage table Trade event in a tabular format for every hour of the day.

I need to search exactly for the time frame 8am every day, whether the value of sun of trade for all source systems in the table is equal to zero. How to add the condition to check the column value is Zero or not?

Your help is much appreciated.

1 answers

solution1
 0  2020-08-09 20:37:08

You can use the where command to test the value of a field.

... | where TradeCount == 0

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Splunk search query with where clause not working How to use boto3 in splunk Enterprise How to use/do where in column of a lookup in Splunk Search Query How to do compound query with where clause in Splunk? How to search using a part of string in splunk and group by How to combine count from two different mstats in where clause Splunk? How to search splunk query which includes double quotes in the string to search how to send json data to splunk HEC or splunk enterprise Splunk :: Search String with Special Character how do i pass a result from one search into IN clause of another search in splunk?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM