Hello Guys,
I am getting confused about this below query, can anyone help me to understand it.
Actually in the search query there is "AND" commands with the same Field name, I am not getting to know how the "AND" command works here for same field. If its a "OR" command then the query will check for both the values, but where as coming to "AND" command how does it works in the same field name. Can someone help me out regarding this....
index=* source="WinEventLog:Microsoft-Windows-PowerShell/Operational" AND ((EventCode="800" AND EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*") OR (EventCode="4103" AND Payload="*-ItemProperty*" AND Payload="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND Payload="*DsrmAdminLogonBehavior*") OR (EventCode="4104" AND ScriptBlockText="*-ItemProperty*" AND ScriptBlockText="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND ScriptBlockText="*DsrmAdminLogonBehavior*"))
Thanks in advance......
Firstly, that's a very badly written search 😉
But seriously - because of how splunk indexes data and searches it afterwards, it's a very inefficient way to include a wildcard at the beginning of the search term - it causes Splunk to scan all the events and not be able to use the pre-built indexes. You can as well just store all your data in a big flat file.
Anyway, your understanding is right - the composite condition searches for events that fulfill all those conditions at the same time which means that EventData contains all those strings at the same time - a single matching event must have all those in the contents.
1. If you paste a search, please use a code block of preformatted style. And - if possible - indent it. It's easier to read.
2. The AND operator is implied between separate conditions - if there are no operators explicitly placed there, AND is used as if it was placed there. So
a=b c=d e=f
is equivalent to
a=b AND c=d e=f
and equivalent to
a=b AND c=d AND e=f
3. OR has to be explicitly stated and binds the closest conditions with a higher precedence than AND. So
a=b c=d OR e=f
is equal to
a=b AND (c=d OR e=f)
4. NOT binds the closest following condition with the highest priority. So
a=b OR c=d NOT e=f
is equal to
(a=b OR c=d) AND (NOT e=f)
5. If in doubt, use parentheses!
6. https://docs.splunk.com/Documentation/SCS/current/Search/Predicates#Logical_operators
Hello @PickleRick
Thank you for the response and i have understood the AND , OR operators usage. But i mean to ask is in the search query i mentioned in the above it contains the -
EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*"
Here the same field "EventData" is mentioned three times with different values and is divided with AND operator. So that means the search is looking for all the mentioned values below EventData field in the logs...?
Hope you understood my query....
thanks in advance....
Firstly, that's a very badly written search 😉
But seriously - because of how splunk indexes data and searches it afterwards, it's a very inefficient way to include a wildcard at the beginning of the search term - it causes Splunk to scan all the events and not be able to use the pre-built indexes. You can as well just store all your data in a big flat file.
Anyway, your understanding is right - the composite condition searches for events that fulfill all those conditions at the same time which means that EventData contains all those strings at the same time - a single matching event must have all those in the contents.
hi @PickleRick
Thank you for the response and thank you for the clarity.
I have included the wildcard just for reference and i will replace it with my indexes which are needed to include in the search.
You misunderstood me. I'm not talking about the "index=*" part (which is an inefficient thing but just because you search across all your indexes).
I'm talking about the EventData=*whatever* part.
If you search for something like EventData=whatever or even for EventData=whatever*, Splunk is able to leverage its indexes and chose quickly only those events that have "words" matching your search terms which makes the search much mich faster. If you're searching for "*whatever*" Splunk has no "fixed" thing it can search for so it has to look through all the data it has.
In some cases you can use a search not bound specifically to a single field to restrict the processed events to some subset.
For example, your search contains condition
EventData="*-ItemProperty*"
On it's own it's a very inefficient search since it starts with a wildcard. But since you have a string "ItemProperty*" beginning with a segmenter, you can rework this condition to
ItemProperty* AND EventData="*-ItemProperty*"
This will cause Splunk to restrict its search only to those events in which there is a "word" starting with ItemProperty.
Hi @gcusello
Thank you for the response and my issue is to understand the search query below with AND boolean operator. In this below search query the AND boolean is used multiple times with the same field name that means the AND boolean is looking for the 2 values in the same log.... if not Please clarify how AND boolean works.
index=* source="WinEventLog:Microsoft-Windows-PowerShell/Operational" AND ((EventCode="800" AND EventData="*-ItemProperty*" AND EventData="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND EventData="*DsrmAdminLogonBehavior*") OR (EventCode="4103" AND Payload="*-ItemProperty*" AND Payload="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND Payload="*DsrmAdminLogonBehavior*") OR (EventCode="4104" AND ScriptBlockText="*-ItemProperty*" AND ScriptBlockText="*\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" AND ScriptBlockText="*DsrmAdminLogonBehavior*"))
Thanks in advance
Hi @LRathinakumar,
You're confusing the AND operator with the OR operator:
if you use OR you take the results for which one of the two conditions occurs, that is, as you say, two values; the AND operator, on the other hand, is a more exclusive condition because you only take the values for which both conditions are true.
Ciao.
Giuseppe
Hi @LRathinakumar,
at first AND isn't a command but a boolean operator as OR.
Second time, AND is mandatory only in the eval command, in the search isn't mandatory, so your search will return the same results without ANDs.
The logic is that both the conditions correlated by AND must be verified, if you have more AND conditions all of them must be verified.
But what's upir issue?
Ciao.
Giuseppe