I'd like to setup a tag that is restrictive (AND) in its query rather than inclusive (OR). For example, if you specify a tag with many field value pairs like this:
index=foobar
host=10.17.41.1
host=10.17.41.2
A search using this tag will look for events in index=foobar OR host=10.17.41.1 OR host=10.17.41.2
, but I want the search to look for events in index=foobar AND (host=10.17.41.1 OR host=10.17.41.2)
. I tried explicitly setting the following as a tag but no results were returned:
index=foobar AND (host=10.17.41.1 OR host=10.17.41.2)
Hi dphung,
create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.
cheers, MuS
Use this:
tag::index=your_tag tag::host=your_tag
That'll prevent the OR'ing between different fields, and ANDs them instead.
Don't change your tag definitions, change your search. tag=foo
looks for any tag named foo, tag::field=foo
looks for tags named foo for the specified field only, breaking up the long OR chain.
The point of the question was to not change the search query. I want to keep that part as simple as tag=foo and have that tag expand to the logical equivalent of
'index=foobar AND (host=bar1 OR host=bar2)
I was able to do this with a combination of eventtypes and tagging as suggested by @MuS.
You should add such a requirement to your question.
Are you saying I need to add 'tag::' in front of each of my field/value pairs? E.g. My tag would look like:
tag::index=foobar
tag::host=10.17.41.1
tag::host=10.17.41.2
I just tried this and it didn't work. What I want to be able to do is use the tag to reference this set of field/value pairs, so if I named my tag above 'mytag', my search would be:
splunk> tag=mytag somedata
Hi dphung,
create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.
cheers, MuS
A little circuitous but this works. Here's what I had to do:
1) Create tag=myhosts
host=10.17.41.1
host=10.17.41.2
2) Create an eventtype=my_index_search_terms that bound the index and the hosts with the AND
search> index=foobar AND tag=myhosts
3) Create a tag aliasing a tag (tag=index_hosts) to the eventtype:
eventtype=my_index_search_terms
So now, when I do a search like:
> tag=index_hosts status=404
It refines that search to only look for events coming from that host in that index.