Knowledge Management

Can I specify a tag that logically ANDs the field value pairs?

dphung
Explorer

I'd like to setup a tag that is restrictive (AND) in its query rather than inclusive (OR). For example, if you specify a tag with many field value pairs like this:

index=foobar
host=10.17.41.1
host=10.17.41.2

A search using this tag will look for events in index=foobar OR host=10.17.41.1 OR host=10.17.41.2, but I want the search to look for events in index=foobar AND (host=10.17.41.1 OR host=10.17.41.2). I tried explicitly setting the following as a tag but no results were returned:

index=foobar AND (host=10.17.41.1 OR host=10.17.41.2)
Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Use this:

tag::index=your_tag tag::host=your_tag

That'll prevent the OR'ing between different fields, and ANDs them instead.

martin_mueller
SplunkTrust
SplunkTrust

Don't change your tag definitions, change your search. tag=foo looks for any tag named foo, tag::field=foo looks for tags named foo for the specified field only, breaking up the long OR chain.

0 Karma

dphung
Explorer

The point of the question was to not change the search query. I want to keep that part as simple as tag=foo and have that tag expand to the logical equivalent of
'index=foobar AND (host=bar1 OR host=bar2)

I was able to do this with a combination of eventtypes and tagging as suggested by @MuS.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You should add such a requirement to your question.

dphung
Explorer

Are you saying I need to add 'tag::' in front of each of my field/value pairs? E.g. My tag would look like:

tag::index=foobar
tag::host=10.17.41.1
tag::host=10.17.41.2

I just tried this and it didn't work. What I want to be able to do is use the tag to reference this set of field/value pairs, so if I named my tag above 'mytag', my search would be:

splunk> tag=mytag somedata

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

dphung
Explorer

A little circuitous but this works. Here's what I had to do:

1) Create tag=myhosts
host=10.17.41.1
host=10.17.41.2

2) Create an eventtype=my_index_search_terms that bound the index and the hosts with the AND
search> index=foobar AND tag=myhosts

3) Create a tag aliasing a tag (tag=index_hosts) to the eventtype:
eventtype=my_index_search_terms

So now, when I do a search like:
> tag=index_hosts status=404

It refines that search to only look for events coming from that host in that index.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...