topic Re: Can you tell me the difference between two boolean expressions? in Splunk Search

Can you tell me the difference between two boolean expressions?

y2kbcm — Mon, 21 Jan 2019 23:21:57 GMT

Hi,

I am currently figuring out what is wrong with my boolean expression.

Currently, I'm making a whitelist of application on sysmon app.

The thing is, I got a different result when I used "(Image!=[process1] AND Image!=[Process2])" and "NOT (Image=[process1] OR Image=[process2])"

I would appreciate if you tell me the difference between these two boolean expressions.

Re: Can you tell me the difference between two boolean expressions?

renjith_nair — Tue, 22 Jan 2019 03:04:48 GMT

@y2kbcm,

If you search with the != expression, every event that has a value in the field, where that value does not match the value you specify, is returned. Events that do not have a value in the field are not included in the results.

If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.

It's explained in Difference between NOT and != with examples.

Re: Can you tell me the difference between two boolean expressions?

y2kbcm — Tue, 22 Jan 2019 04:00:12 GMT

Thank you very much for your comment.
I went over the search manual but it didn't mean anything back then. Now it makes sense!