topic Re: Searching with AND OR in Splunk Search

Searching with AND OR

jlaigo2 — Tue, 29 Jan 2013 17:21:38 GMT

I am trying to setup a dashboard with the following example search. What I need to do is have both id and or name, I tried it with just OR but if it matches on the first it will not continue on the second and it breaks with AND OR...?

index=someindex id=* AND OR name=*

Re: Searching with AND OR

lpolo — Tue, 29 Jan 2013 17:32:21 GMT

with AND you get this result set

id | name | expected result
----------------------------
no | no | none are reported
yes | no | none are reported
no| yes | none are reported
yes | yes | Both are reported

id | name | expected result
----------------------------------
no | no | none are reported
yes | no | id is reported
no| yes | name is reported
yes | yes | Both  name and id are reported

Based on these premises you want to use OR

index=someindex id OR name|table _time id name

Re: Searching with AND OR

markthompson — Mon, 23 Feb 2015 12:49:48 GMT

lpolo has the correct answer, but I thought I'd clarify a bit.

The operators match criteria, so:

AND - is used in the format if(id=? AND name=?,TRUE, FALSE) so both criteria, working on a boolean basis, should return 1, then it will carry on and return true.

OR - is used in the format if(id=? OR name=?, TRUE, FALSE) so it will continue if either of the fields match

What you're attempting to do, is to check if the ID matches, or the name matches, then you wish to display the ID and the Name, so you should be using the OR; index=yourindex id=? OR name=? | table _time, id, name

Hope that cleared things up.