topic Re: Where and or statement for multiple values in Splunk Search

Where and or statement for multiple values

codedtech — Wed, 30 Sep 2020 03:02:16 GMT

Hello,

I'm building a search that tracks the use of memory allocated(mem_alloc), memory in use(mem_used), CPU in use(CPU_used) CPU allocated (CPU_alloc) along with the Cluster type (CT) for our vmware envrioment. My base query works perfect but when I try to build the logic behind it using where, and , or. I keep getting false positives, like the example below.

where CT=Tier_1 or CT=Tier_2 and CPU_used>=50 or mem_used>=50  or mem_alloc>=0.9 or CPU_alloc>=0.9

I end up getting results that have different cluster tiers in them

|CT | |CPU_used| |mem_used| |mem_alloc| |CPU_alloc|
|Tier_2 |50.01| |25.35| |.82 | |.82 |
|Tier_1 |62.23| |72.33| |.90 | |.65 |
|Tier_2 |45.53| |32.55| |.97 | |.55 |
|Tier_4 |23.25| |36.58| |1.01| |3.25|
|Tier_5 |40.32| |85.15| |3.25| |1.11|
I need to find a way to be able to narrow it down to Tier_1 or Tier_2 clusters only, and alert if any of the values break the thresholds in the where statements.

Re: Where and or statement for multiple values

mayurr98 — Wed, 20 Nov 2019 17:26:31 GMT

try this?

where (CT=Tier_1 or CT=Tier_2) AND (CPU_used>=50 or mem_used>=50  or mem_alloc>=0.9 or CPU_alloc>=0.9)

Re: Where and or statement for multiple values

codedtech — Wed, 30 Sep 2020 03:02:36 GMT

That worked, how would I repeat the process for Tier_3 where the values are different from Tier_1 and Tier 2 in the same query?

Re: Where and or statement for multiple values

mayurr98 — Wed, 20 Nov 2019 18:53:38 GMT

try:

((CT=Tier_1 or CT=Tier_2) AND (CPU_used>=50 or mem_used>=50  or mem_alloc>=0.9 or CPU_alloc>=0.9)) OR (CT=Tier_3 AND ( cpu_used>50 OR mem_used>60...))

Please upvote/accept the answer if it works for you.