topic Re: query on using AND ,OR in Splunk Search

query on using AND ,OR

Jananee_iNautix — Mon, 28 Sep 2020 15:43:32 GMT

20131209.dbg0.log:2013-12-09 17:52:12,435 [58c8] SUCCESS: File successfully uploaded using SFTP. Filename was [nv_afis_nav_download12092013145008.csv]. File length was [1403].
20131209.dbg0.log:2013-12-05 15:34:00,895 [275f275f] MAJOR: File [/ftxprd1/BNYM_NONPROD_ZEROBYTE_TESTING/dir_monitor/Zero_Byte_Check_92kb.log] already exists. [.io.agents.filecopy.Filecopy]

20131220.server-status0.log:13-12-20 09:38:00 [76aa] SUCCESS: The FTP Server [rsba.net - FTP SERVER] uploaded file [/outbound/_2_113237579.csv] of length 1989 bytes from userid [EBD]. The [EBD] user logged in from [17.61.10.10:358] with security mode [DISABLED].

From the above mentioned events, the following exact phrases / strings need to be searched.

events containing the word "file"
events containing the phrase "SUCCESS: File successfully uploaded"
events containing the phrase "MAJOR:"
Note : Events should contain ("file" & "SUCCESS: File successfully uploaded") (OR) ("file" & "MAJOR").

Output should look like

Output :
20131209.dbg0.log:2013-12-09 17:52:12,435 [58c8] SUCCESS: File successfully uploaded using SFTP. Filename was [nv_afis_nav_download12092013145008.csv]. File length was [1403].
20131209.dbg0.log:2013-12-05 15:34:00,895 [275f275f] MAJOR: File [/ftxprd1/BNYM_NONPROD_ZEROBYTE_TESTING/dir_monitor/Zero_Byte_Check_92kb.log] already exists. [.io.agents.filecopy.Filecopy]

I tried with the following query as

index=fer file AND ("SUCCESS: File successfully uploaded" OR "MAJOR") |search source="*.dbg0.log"

I didn't get desired result.Could you please correct the query to fetch the desired events.

Re: query on using AND ,OR

linu1988 — Mon, 27 Jan 2014 09:52:26 GMT

Hello,
This should work.

index=fer ("file" AND "SUCCESS: File successfully uploaded") OR ( "file" AND "MAJOR") source="*.dbg0.log"

Thanks

Re: query on using AND ,OR

Jananee_iNautix — Mon, 27 Jan 2014 12:01:27 GMT

The search query you gave is not fetching the results as expected.If i give SUCCESS: alone or MAJOR alone like
index=fer "file" AND ("SUCCESS:" OR "MAJOR:") source=".dbg0.log".
The events are listed according to the query given.But,when given like
index=fer "file" AND ("SUCCESS: File successfully uploaded" OR "MAJOR: File ") source=".dbg0.log".
Nothing is listed out.Can you say why it is happening and resolve it

Re: query on using AND ,OR

linu1988 — Mon, 27 Jan 2014 12:28:55 GMT

Modified the query as the your comment.

Note : Events should contain ("file" & "SUCCESS: File successfully uploaded") (OR) ("file" & "MAJOR")

Re: query on using AND ,OR

Jananee_iNautix — Mon, 28 Sep 2020 15:43:35 GMT

index=fxr file AND (MAJOR) OR (SUCCESS: AND File AND successfully AND uploaded)|search source=".dbg-*trc.log"

This query fetched correct number of events as expected.I want to confirm whether splunk follows right to left associativity in the above query or what?Because the following query also fetched the same results as expected.

index=fxr (file) AND ((MAJOR) OR (SUCCESS: AND File AND successfully AND uploaded))|search source=".dbg-*trc.log"

Re: query on using AND ,OR

chimell — Fri, 12 Dec 2014 12:31:33 GMT

Just try like this , I think that it may be done :

      index=fer    source="*.dbg0.log" (“ file”  AND "SUCCESS: File successfully uploaded") OR (“file” AND "MAJOR")

Re: query on using AND ,OR

stephane_cyrill — Sun, 19 Apr 2015 15:11:18 GMT

Hi Jananee_iNautix,
You wanted, in your comment to know if splunk is processing left to right association.
WHEN YOU RUN A QUERY LIKE THAT,SPLUNK PROCESS THE EVENT IN THIER ARRIVING ODER.

CONCERNING THE QUERY, splunk proces from left to right, But NOTE THAT all the search element are always process. AND NO Matter the order of OR and AND the other of the resulting events will be the same if you don't SORT or transform it.