Knowledge Management

Unexpected search results... How do parentheses, OR, and NOT work in search language?

snoobzilla
Builder

How do parentheses, OR, and NOT work in search language? If I do something like...

( source=foo "somesearchterm" ) OR ( source=bar NOT "othersearchterm" NOT "anothersearchterm" )

I get a lot more results when I run the two sides of the OR as separate searches than when run as above. With sources foo and bar being distinct logs, why would they impact each other? Shouldn't I get the same results as if I used a subsearch?

( source=foo "somesearchterm" ) | append [ ( source=bar NOT "othersearchterm" NOT "anothersearchterm" ) ]

I do not... So I guess the question is how do parentheses and OR work in search language? How could two examples above yield different results with foo and bar being distinct sources?

We had these as two distinct eventtypes, but got weird results when it was eventtype=baz* where this would include both of them. Then tried to put them in single eventtype and got similar results. Also tried explicit AND. There are a large number of results in the "NOT" criteria.

Thanks

0 Karma
1 Solution

snoobzilla
Builder

Net net... as it says in the documentation, using lots of NOTs is NOT a good idea. We ended up switching to inclusive search in eventtype.

View solution in original post

snoobzilla
Builder

Net net... as it says in the documentation, using lots of NOTs is NOT a good idea. We ended up switching to inclusive search in eventtype.

snoobzilla
Builder

I trimmed the question to be more to the point.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

When using subsearch, Splunk evaluates the search in the brackets first and then uses it as an argument in the main search. That might not be what you want... or you might need to be more specific about what the "argument" is. While the theory behind the boolean stuff is interesting, I think you might want to get back to specifics. Most problems with long boolean comparisons come from one rule inadvertently affecting the other. If you can add some data and search specifics... we'll probably get where you want faster. Your example is perfectly reasonable... so it must be data related and perhaps, as I said, some accidental overkill. Leave the first part of your question, and add some event samples and your search attempts in addition to the results... someone will probably be able to catch the issue there...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

the quickest way to see the difference in terms of how Splunk sees each request is to look at the job inspector. ("job" dropdown on the same line as the number of events in the search view... it's on the right. Check "normalizedSearch" and compare.

It would be helpful if you gave a sample of the events, definitions of eventtypes... and what the difference between linecount=1 or linecount<3 means to the data. The linecount field contains the number of lines an event contains. This is the number of lines an event contains before it is indexed. So it's not possible really possible to follow along without understanding what the data looks like.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

snoobzilla
Builder

I looked at normalized search in job inspector... litsearch appears the same to me.

I guess the question really is how do parentheses work in this case... If I do something like...

( source=foo "somesearchterm" ) OR ( source=bar NOT "othersearchterm" NOT "anothersearchterm" )

With sources foo and bar being distinct logs, why would they impact each other?

Shouldn't I get the same results as if I used a subsearch?

( source=foo "somesearchterm" ) | append [ ( source=bar NOT "othersearchterm" NOT "anothersearchterm" ) ]

I do not... ? Thanks

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...