How to phrase a search to find results if two conditions are met?

beans123 — Thu, 01 Jun 2023 20:54:19 GMT

I am new to using Splunk and having some difficulties with the search query logic. I want to create a dashboard that displays the results of a condition being met, only if another condition is true. Example: if "PropertyOne"=true and "PropertyTwo"=5, return the instances where both of these conditions are met. I have tried using the if, match, and case functions, but I do not think I am using them correctly.

Search formats I've tried:

eval err=if("PropertyOne"=true, "PropertyTwo"=5)

if("PropertyOne"=false AND "PropertyTwo"=5)

eval err=if(match("PropertyOne"=false AND "PropertyTwo"=5), 1,0) <-- Here I added 1 and 0 because I didn't know what else to put in the other two slots needed for the "if" function.

eval err=case("PropertyOne"=true AND "PropertyTwo"=5)

Re: How to phrase a search to find results if two conditions are met?

richgalloway — Fri, 02 Jun 2023 00:17:36 GMT

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0) | where result=1 | where (PropertyOne=5 AND PropertyTwo=0) | search PropertyOne=5 AND PropertyTwo=0

topic How to phrase a search to find results if two conditions are met? in Splunk Search

How to phrase a search to find results if two conditions are met?

Re: How to phrase a search to find results if two conditions are met?