topic Re: AND OR not working correctly in Splunk Search

AND OR not working correctly

davidcraven02 — Fri, 05 Jan 2018 19:48:12 GMT

I am getting the below error when trying to form an AND & OR in my query.

Error in 'eval' command: The expression is malformed. Expected ).

My eval is below:

| eval Action=if((MonitoringStatus="Not Monitored") AND(like(Path,"%Hosting%") 
 AND Location="Varonis" 
 OR(7DayBackUpStatus="Not Backed Up") "Action Required","No Action Required")

Re: AND OR not working correctly

somesoni2 — Fri, 05 Jan 2018 19:58:09 GMT

Try this (you're missing a closing braces on conditions and command before "Action Required")

| eval Action=if((MonitoringStatus="Not Monitored") AND 
( like(Path,"%Hosting%")  AND Location="Varonis" OR (7DayBackUpStatus="Not Backed Up")),  "Action Required","No Action Required")

Re: AND OR not working correctly

micahkemp — Fri, 05 Jan 2018 19:59:20 GMT

The field name that starts with the number 7 needs to be in single quotes:

| eval Action=if(
    (MonitoringStatus="Not Monitored")
    AND (
        like(Path,"%Hosting%")
        AND Location="Varonis" 
        OR  '7DayBackUpStatus'="Not Backed Up"
    ), "Action Required", "No Action Required")

I suggest putting parentheses when you mix AND and OR. I'm not sure what your intent might be, but you may consider one of these variants:

| eval Action=if(
    (MonitoringStatus="Not Monitored")
    AND (
        (like(Path,"%Hosting%") AND Location="Varonis")
        OR  '7DayBackUpStatus'="Not Backed Up"
    ), "Action Required", "No Action Required")

| eval Action=if(
    (MonitoringStatus="Not Monitored")
    AND (
        like(Path,"%Hosting%")
        AND (Location="Varonis" OR '7DayBackUpStatus'="Not Backed Up")
    ), "Action Required", "No Action Required")

Re: AND OR not working correctly

mayurr98 — Fri, 05 Jan 2018 20:13:36 GMT

Hey

Try this !

 | eval Action=if(((MonitoringStatus="Not Monitored") AND (like(Path,"%Hosting%")) AND Location="Varonis" OR  '7DayBackUpStatus'="Not Backed Up"), "Action Required", "No Action Required")

Let me know if this helps you !

Re: AND OR not working correctly

davidcraven02 — Fri, 05 Jan 2018 20:39:27 GMT

Sorry I marked this accepted prematurely. it doesn't seem the OR statement is kicking in as there are more than 50 rows of data that are listed as 'Not Backed Up'

Re: AND OR not working correctly

mayurr98 — Fri, 05 Jan 2018 20:49:29 GMT

I do not know how to deal with fieldname starting with a number i may be wrong
Can you change the fieldname to sevendaybackupstatus

  | eval Action=if(((MonitoringStatus="Not Monitored") AND (like(Path,"%Hosting%")) AND Location="Varonis" OR  sevendaybackupstatus="Not Backed Up"), "Action Required", "No Action Required")

Try this

 | rename “7DayBackUpStatus” as sevendaybackupstatus | eval Action=if(((MonitoringStatus="Not Monitored") AND (like(Path,"%Hosting%")) AND Location="Varonis" OR  sevendaybackupstatus="Not Backed Up"), "Action Required", "No Action Required")

Re: AND OR not working correctly

micahkemp — Fri, 05 Jan 2018 20:51:42 GMT

I've updated my answer to also take into consideration two alternate searches (grouped AND/OR with parentheses to make it more clear) that may correct your logic issue as well.