Solved: help on where condition

jip31 · ‎10-23-2020

hi

I use the search below

| inputlookup lookup_xx where TYPE="Ind" 
| search DOMAIN=I OR DOMAIN=B OR DOMAIN=W 
| rename HOSTNAME as host 
| table host TYPE DOMAIN

Instead using | search, I would like to include this in my Where condition but it doesnt works

| inputlookup lookup_xx where TYPE="Ind" AND (DOMAIN=I OR DOMAIN=B OR DOMAIN=W) 
| rename HOSTNAME as host 
| table host TYPE DOMAIN

how to do this please?

and for performances is it better to use Where or search?

[| inputlookup lookup_xx
| search TYPE="Ind" AND (DOMAIN=I DOMAIN=B OR DOMAIN=W) 
| rename HOSTNAME as host ] `w`

And why I can do

[| inputlookup lookup_xx
    | where TYPE="Ind" OR (DOMAIN=I OR DOMAIN=B OR DOMAIN=W)

But not

[| inputlookup lookup_xx 
    | where TYPE="Ind" AND (DOMAIN=I OR DOMAIN=B OR DOMAIN=W)

Thanks for your help

alemarzu · ‎10-23-2020

Have you tried without using boolean operators outside parenthesis, like this?

| inputlookup lookup_xx where TYPE="Ind" (DOMAIN=I OR DOMAIN=B OR DOMAIN=W)

alemarzu · ‎10-23-2020

Have you tried without using boolean operators outside parenthesis, like this?

| inputlookup lookup_xx where TYPE="Ind" (DOMAIN=I OR DOMAIN=B OR DOMAIN=W)

jip31 · ‎10-25-2020

perfect thanks

help on where condition