Re: Using multiple OR operators

shiftey · ‎05-28-2015

Hi guys

Im doing a correlation search where Im looking for hostnames and filtering for events I dont want. eg.

sourcetype=dhcplogs where dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4* .....

Is there a more efficient way of grouping multiple OR operators together? Would this help with search processing, or just tidier to read.

Cheers

lguinn2 · ‎06-19-2017

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")

DalJeanis · ‎04-26-2017

This test will ALWAYS be true...

dest!=Prefix1* OR dest!=Prefix2*

...because...
Prefix1PlusSomeStuff is not equal to Prefix2*, so it meets the second criteria.

Prefix2PlusSomeStuff is not equal to Prefix1*, so it meets the first criteria.

...so, that should be coded in either of the following ways...

 NOT ( dest=Prefix1* OR dest=Prefix2*)

...or...

 (dest!=Prefix1* AND dest!=Prefix2*)

stephanefotso · ‎05-28-2015

Hello!
No, there is not another way to do it. And you don't have to put the where clause. just type your search like this:

sourcetype=dhcplogs  (dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4)

Thanks

SGF

shiftey · ‎05-28-2015

Ive also tried

replace prefix1* with prefix1 in dest| replace prefix2* with prefix* in dest | where dest!=prefix1 OR dest!=prefix2

however that has 0 results. Im thinking Splunk is not treating prefix1* as a wildcard but a string?

Any more advice is most welcome.

Cheers

stephanefotso · ‎05-29-2015

No. There was an error in my query. That is what to write.

replace prefix1* with prefix1 in dest| replace prefix2* with prefix2 in dest | where dest!=prefix1 OR dest!=prefix2

And, If prefix1* is a string in your events, means, you are not trying to match any caracter, just write

...| where dest!="prefix1*" OR dest!="prefix2*"

Thanks

SGF

shiftey · ‎05-28-2015

Thanks stephanefotso,

I'm using this in a new correlation search using guided mode. Im at the filter stage of the search creation wizard and have put:

dest!=Prefix1* OR dest!=Prefix2*

yet there is an error below that says
" ! Search does not parse"

I've used the network sessions datamodel and specified the search time.

How would I know what "Application Context" to use for each correlation search?

Thanks for your help

shiftey · ‎05-28-2015

I also specified DHCP as part of the network session data model..

stephanefotso · ‎05-28-2015

If you are at the filter stage, i thing, you must use the where clause. But the problem is that, the star() can not works with the where clause. Means `|where dest!=Prefix1 `is an error.

SGF

stephanefotso · ‎05-28-2015

try:

  ...|replace Prefix1* with Prefix1 in dest|replace Prefix2* with Prefix2 in dest|where dest!=Prefix1 OR dest!=Prefix2

SGF

Using multiple OR operators

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation