topic Re: Multiple OR not working as expected with AND clause in search query in Splunk Search

Why is multiple OR not working as expected with AND clause in search query?

hgoyal — Tue, 08 Aug 2023 16:10:26 GMT

Hi Everyone,

I have a requirement to implement a search query where I have 3 unique values and one common value

3 unique values-> A, B, C

1 Common Value-> D

I am doing something like (A and D) OR (B and D) OR (C and D) but it is not giving any search result but it should give as (C and D ) is true.

@gcusello if is possible can you help?

Re: Multiple OR not working as expected with AND clause in search query

ITWhisperer — Tue, 08 Aug 2023 10:52:19 GMT

What you have should work, although you could try (A or B or C) AND D.

Can you share some events which you think should be being picked up which aren't?

Re: Multiple OR not working as expected with AND clause in search query

wmuselle — Tue, 08 Aug 2023 12:10:52 GMT

no result? , make sure your AND and OR are uppercase.
also as @ITWhisperer said combining your ORs should work.

are these stored in 2 fields or just 1?

Re: Multiple OR not working as expected with AND clause in search query

hgoyal — Wed, 09 Aug 2023 03:45:04 GMT

There is a single field on which these values are matched. Bucket Name

Re: Multiple OR not working as expected with AND clause in search query

ITWhisperer — Wed, 09 Aug 2023 05:49:29 GMT

In general, ANDs and ORs work as expected, which means there must be something specific about your scenario for it to not work. Without the specifics, e.g. actual (anonymised) examples, it is going to be difficult to help you further.

Re: Multiple OR not working as expected with AND clause in search query

hgoyal — Wed, 09 Aug 2023 06:27:44 GMT

Hello,

I think I know why it is not working. I was trying to make AND work on different events .

For example one event has A value
And there is another event with B value
And I am trying to apply multiple AND and OR between different events .

Is there anyway to apply AND and OR between 2 different events and their values ?

Re: Multiple OR not working as expected with AND clause in search query

ITWhisperer — Wed, 09 Aug 2023 06:34:47 GMT

The simple answer is no - Splunk works on a pipeline of events, so each comparison applies to one event at a time. Having said that, there are ways to combine events into single events, to which comparisons can be applied, and also ways to combine values from other events, so that cross-event comparisons can be made. It depends on your usecase.

Re: Multiple OR not working as expected with AND clause in search query

hgoyal — Wed, 09 Aug 2023 08:30:26 GMT

Hi,
I tried to combine two different eventtype events in one single event.

Eventtype = First and Eventtype =Second

eventtype="First " OR eventtype="Second "| transaction eventtype maxspan=1s | eval combined_event()=mvjoin(event, " ") | table combined_event

But it group the events of First and Second it didnt added FIRST+Second into single eventtype is this possible?

Re: Multiple OR not working as expected with AND clause in search query

ITWhisperer — Wed, 09 Aug 2023 08:41:50 GMT

No, using transaction eventtype will separate groups of events by eventtype so First and Second will be in different event (groups). Perhaps, instead of talking in generic terms, with you introducing additional variables to your usecase, it might be useful if you describe your exact usecase in more detail. What exactly are you trying to do?

Re: Multiple OR not working as expected with AND clause in search query

hgoyal — Wed, 09 Aug 2023 08:47:04 GMT

Okay. I have one variable say bucket_name. It exists in eventtype ->First and eventtype->Second

So this is a common field in both the eventtype.

But I want to combine these both events so that I have both the bucket names into single eventtype.

And that's why I was trying to perform OR and AND operator. TO extract bucket name value .

My use case is I want to Search only the bucketnames which exists with some other specific bucket names using search keyword

Re: Multiple OR not working as expected with AND clause in search query

ITWhisperer — Wed, 09 Aug 2023 09:21:14 GMT

This still isn't clear - do you have the same bucket_name in two different events, one of event type "First" and the other of event type "Second"; or, events of type "First" with different bucket_names and events of type "Second" with a different set of bucket_names?

Please share some sample (anonymised) events to make this clearer.