topic Re: OR not working properly in Splunk Search

OR not working properly

lcharpentier — Tue, 31 Oct 2017 09:24:03 GMT

Hi,
I tried to run a report on multiple number from a specific field named "finalCalledPartyNumber" using the OR operator but I get results with other number as well. So I tried with bracket () but this time job failed, any idea how to do that ?

Here is my request:

finalCalledPartyNumber=331420 OR 331088 OR 331951 OR 331954 OR 331138 OR 331443 OR 333500 OR 331490 OR 332690 OR 332844 OR 332846 OR 332886 OR 331126 OR 332510 OR 333469 OR 332519 OR 331200 OR 331116 OR 332533 OR 331028 OR 333292 OR 331027 | eval Date=strftime(dateTimeConnect, "%H:%M:%S %d-%m-%Y") | top callingPartyNumber, finalCalledPartyNumber, Date by duration

But I got results with awkward numbers as "FinalCalledPartyNumber" as per below:
708907951 12:44:55 31-10-2017 ==> This number 708907951 is no where in my request
708960067 14:18:13 31-10-2017 ==> This number 708960067 is no where in my request
966131 11:21:54 31-10-2017 ==> This number 966131 is no where in my request
910723 13:10:30 31-10-2017 ==> This number 910723 is no where in my request
331490 09:18:49 31-10-2017 ==> This number 331490 is OK
708916453 13:37:38 31-10-2017 ==> This number 708916453 is no where in my request
331138 08:34:07 31-10-2017 ==> This number 331138 is OK
333500 08:48:14 31-10-2017 ==> This number 333500 is OK

Any ideas how to achieve this, to make sure I only got events only for what I requested ?

Many thanks

Re: OR not working properly

MuS — Tue, 31 Oct 2017 09:38:24 GMT

Usually you would use a search like key=value OR key=value .... but not something you use. In the most recent versions of Splunk you can use an eval option called in() which does what you want, check the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29

cheers, MuS

Re: OR not working properly

niketn — Tue, 31 Oct 2017 09:42:14 GMT

@lcharpentier, if you are on Splunk Enterprise 6.6 or higher you can try search with INclause

<YourBaseSearch> finalCalledPartyNumber IN (331420, 331088, 331951, 331954, 331138, 331443, 333500, 331490, 332690, 332844, 332846, 332886, 331126, 332510, 333469, 332519, 331200, 331116, 332533, 331028, 333292, 331027)
| <YourRemainingSearch>

If you are on previous version you should use <fieldName>=value1 OR <fieldName>=value1 OR ...

<YourBaseSearch> finalCalledPartyNumber=331420 OR finalCalledPartyNumber=331088 OR finalCalledPartyNumber=331951 OR finalCalledPartyNumber=331954 OR finalCalledPartyNumber=331138 OR finalCalledPartyNumber=331443 OR finalCalledPartyNumber=333500 OR finalCalledPartyNumber=331490 OR finalCalledPartyNumber=332690 OR finalCalledPartyNumber=332844 OR finalCalledPartyNumber=332846 OR finalCalledPartyNumber=332886 OR finalCalledPartyNumber=331126 OR finalCalledPartyNumber=332510 OR finalCalledPartyNumber=333469 OR finalCalledPartyNumber=332519 OR finalCalledPartyNumber=331200 OR finalCalledPartyNumber=331116 OR finalCalledPartyNumber=332533 OR finalCalledPartyNumber=331028 OR finalCalledPartyNumber=333292 OR finalCalledPartyNumber=331027
| <YourRemainingSearch>

Just placing OR <number> searches for the number across your raw event not just for the value of field finalCalledPartyNumber. I am expecting your logs have EPOCH time or some part of your _raw content is matching your search term. You can see in event mode or use highlight command to verify as to why those events are getting selected.
You can also consider using wildcard for field value if possible like finalCalledPartyNumber="33*" (if applicable).

Re: OR not working properly

niketn — Tue, 31 Oct 2017 09:43:32 GMT

@MuS you beat me to it. 🙂

Re: OR not working properly

wrangler2x — Tue, 31 Oct 2017 18:20:53 GMT

Looks like it does not work on 6.5.2