topic Re: How to properly use AND / OR in search? in Splunk Search

How to properly use AND / OR in search?

eddychuah — Tue, 02 Jun 2015 19:54:48 GMT

I'm new to this community, any help will be greatly appreciated!!!

How can i search groups of keywords but i would like the search result to include all of them

Example, give me ALL results where you see SYSERR0001 apple or SYSERR0001 orange or SYSERR0001 grape

i find that if i use the or statement above, splunk search ONLY returns me the right most OR that it finds, however I wish to locate all events that contains the keyword pairs of SYSERR0001 apple or SYSERR0001 orange or SYSERR0001 grape

Re: How to properly use AND / OR in search?

eddychuah — Tue, 02 Jun 2015 20:00:13 GMT

nevermind, figured it out

(apple OR orange OR grape) AND SYSERR0001

Re: How to properly use AND / OR in search?

sideview — Tue, 02 Jun 2015 20:54:45 GMT

Yep. and by the way "AND" is kinda funny in Splunk. It's always redundant in search, so although Splunk doesn't give you an error, you can always remove it when you see it in the initial search clause, or in a subsequent search command downstream. Another way of looking at this is that Splunk mentally puts an "AND" in between any two terms where there isn't an OR. Thus the explicit ones are unnecessary.

Bottom line - (apple OR orange OR grape) SYSERR0001 will work just as well.