topic Re: Using multiple OR operators in Getting Data In

Using multiple OR operators

shiftey — Thu, 28 May 2015 22:50:50 GMT

Hi guys

Im doing a correlation search where Im looking for hostnames and filtering for events I dont want. eg.

sourcetype=dhcplogs where dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4* .....

Is there a more efficient way of grouping multiple OR operators together? Would this help with search processing, or just tidier to read.

Cheers

Re: Using multiple OR operators

stephanefotso — Thu, 28 May 2015 23:02:39 GMT

Hello!
No, there is not another way to do it. And you don't have to put the where clause. just type your search like this:

sourcetype=dhcplogs  (dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4)

Thanks

Re: Using multiple OR operators

shiftey — Thu, 28 May 2015 23:23:56 GMT

Thanks stephanefotso,

I'm using this in a new correlation search using guided mode. Im at the filter stage of the search creation wizard and have put:

dest!=Prefix1* OR dest!=Prefix2*

yet there is an error below that says
" ! Search does not parse"

I've used the network sessions datamodel and specified the search time.

How would I know what "Application Context" to use for each correlation search?

Thanks for your help

Re: Using multiple OR operators

shiftey — Thu, 28 May 2015 23:24:37 GMT

I also specified DHCP as part of the network session data model..

Re: Using multiple OR operators

stephanefotso — Fri, 29 May 2015 00:04:08 GMT

If you are at the filter stage, i thing, you must use the where clause. But the problem is that, the star() can not works with the where clause. Means `|where dest!=Prefix1 `is an error.

Re: Using multiple OR operators

stephanefotso — Fri, 29 May 2015 00:21:00 GMT

try:

  ...|replace Prefix1* with Prefix1 in dest|replace Prefix2* with Prefix2 in dest|where dest!=Prefix1 OR dest!=Prefix2

Re: Using multiple OR operators

shiftey — Fri, 29 May 2015 02:32:07 GMT

Ive also tried

replace prefix1* with prefix1 in dest| replace prefix2* with prefix* in dest | where dest!=prefix1 OR dest!=prefix2

however that has 0 results. Im thinking Splunk is not treating prefix1* as a wildcard but a string?

Any more advice is most welcome.

Cheers

Re: Using multiple OR operators

stephanefotso — Fri, 29 May 2015 07:10:51 GMT

No. There was an error in my query. That is what to write.

replace prefix1* with prefix1 in dest| replace prefix2* with prefix2 in dest | where dest!=prefix1 OR dest!=prefix2

And, If prefix1* is a string in your events, means, you are not trying to match any caracter, just write

...| where dest!="prefix1*" OR dest!="prefix2*"

Thanks

Re: Using multiple OR operators

DalJeanis — Tue, 29 Sep 2020 13:48:53 GMT

This test will ALWAYS be true...

dest!=Prefix1* OR dest!=Prefix2*

...because...
Prefix1PlusSomeStuff is not equal to Prefix2*, so it meets the second criteria.

Prefix2PlusSomeStuff is not equal to Prefix1*, so it meets the first criteria.

...so, that should be coded in either of the following ways...

 NOT ( dest=Prefix1* OR dest=Prefix2*)

...or...

 (dest!=Prefix1* AND dest!=Prefix2*)

Re: Using multiple OR operators

lguinn2 — Mon, 19 Jun 2017 20:30:54 GMT

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")