Knowledge Management

Can I specify a tag that logically ANDs the field value pairs?

Explorer

I'd like to setup a tag that is restrictive (AND) in its query rather than inclusive (OR). For example, if you specify a tag with many field value pairs like this:

index=foobar
host=10.17.41.1
host=10.17.41.2

A search using this tag will look for events in index=foobar OR host=10.17.41.1 OR host=10.17.41.2, but I want the search to look for events in index=foobar AND (host=10.17.41.1 OR host=10.17.41.2). I tried explicitly setting the following as a tag but no results were returned:

index=foobar AND (host=10.17.41.1 OR host=10.17.41.2)
Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Use this:

tag::index=your_tag tag::host=your_tag

That'll prevent the OR'ing between different fields, and ANDs them instead.

SplunkTrust
SplunkTrust

Don't change your tag definitions, change your search. tag=foo looks for any tag named foo, tag::field=foo looks for tags named foo for the specified field only, breaking up the long OR chain.

0 Karma

Explorer

The point of the question was to not change the search query. I want to keep that part as simple as tag=foo and have that tag expand to the logical equivalent of
'index=foobar AND (host=bar1 OR host=bar2)

I was able to do this with a combination of eventtypes and tagging as suggested by @MuS.

0 Karma

SplunkTrust
SplunkTrust

You should add such a requirement to your question.

Explorer

Are you saying I need to add 'tag::' in front of each of my field/value pairs? E.g. My tag would look like:

tag::index=foobar
tag::host=10.17.41.1
tag::host=10.17.41.2

I just tried this and it didn't work. What I want to be able to do is use the tag to reference this set of field/value pairs, so if I named my tag above 'mytag', my search would be:

splunk> tag=mytag somedata

0 Karma

SplunkTrust
SplunkTrust

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

View solution in original post

Explorer

A little circuitous but this works. Here's what I had to do:

1) Create tag=myhosts
host=10.17.41.1
host=10.17.41.2

2) Create an eventtype=myindexsearch_terms that bound the index and the hosts with the AND
search> index=foobar AND tag=myhosts

3) Create a tag aliasing a tag (tag=indexhosts) to the eventtype:
`eventtype=my
indexsearchterms`

So now, when I do a search like:
> tag=index_hosts status=404

It refines that search to only look for events coming from that host in that index.

0 Karma