topic Re: AND STATMENTS - HOW DOES LIMIT THE DATA in Splunk Dev

AND STATMENTS - HOW DOES LIMIT THE DATA

J_Walker_Ex — Thu, 20 Jul 2017 09:21:59 GMT

Hi , I have just performed a search

Using Database and file path as the items

(DATABASE) (I:\LOCATION\AREA\UK). This returns 1000000 Results

I tried to QC my method by looking for the following

(DATA AND BASE) (I:\LOCATION\AREA\UK). This only returned 30000 Results. Which seems strange as I thought in theory this one should return all the DATABASE entries and any other occurrence of data and base. I am doing something obvious wrong ?

Re: AND STATMENTS - HOW DOES LIMIT THE DATA

skalliger — Thu, 20 Jul 2017 11:13:08 GMT

Hi,

if I am correct, there is quite a difference here.
Searching for "database" will return events with the term "database". Whereas searching for DATA AND BASE will only return events with the terms data and base.
You would need to specify wildcards in order to get everything that contains the term data, like "*data*". "data*" etc.

Skalli

Re: AND STATMENTS - HOW DOES LIMIT THE DATA

J_Walker_Ex — Thu, 20 Jul 2017 11:21:31 GMT

Hi thanks for you answer

But if I am searching for DATA and BASE does this not in theory mean that all the entries for DATABASE will be picked up by this search. As DATEBASE contains DATA and BASE

But this is not what I am seeing DATABASE is yelding more results the (DATA AND BASE)

if I have say a string like manchesteruniteduseDATAwhentheyareplayinggamestogiveaBASE

and I search for (DATA AND BASE) it not also going to pick it up

Re: AND STATMENTS - HOW DOES LIMIT THE DATA

skalliger — Thu, 20 Jul 2017 11:37:24 GMT

No, think of it like SQL (if you know this language).

If you search for something like this:

WHERE x LIKE "DATA" OR "BASE"

this will only return events where x = DATA or x = BASE, but it will NOT return events with x = DATABASE.

Because then, you would need to define wildcards, something like this:

WHERE x LIKE "DATA%" OR "%BASE"

So, searching for "base" AND "data" will not return database, if it is one term without a space.
Is it clearer now?

Searching for (DATA* AND *BASE) should return all the events you want.

Skalli

Re: AND STATMENTS - HOW DOES LIMIT THE DATA

woodcock — Thu, 20 Jul 2017 14:49:22 GMT

In order for them to be similar, you need to use (DATA* AND *BASE). You would very much benefit from examining the lispy generated (the internal Splunk DB language) for each of your searches. Run a search, then after it is done, towards the right above the histogram is a Job menu. Click that and select Inspect job. This will open a new window with useful information, but not the lispy. At the top of this window is a search log link. Click that and search for lispy. Dig and learn.