Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- AND STATMENTS - HOW DOES LIMIT THE DATA
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AND STATMENTS - HOW DOES LIMIT THE DATA
Hi , I have just performed a search
Using Database and file path as the items
(DATABASE) (I:\LOCATION\AREA\UK). This returns 1000000 Results
I tried to QC my method by looking for the following
(DATA AND BASE) (I:\LOCATION\AREA\UK). This only returned 30000 Results. Which seems strange as I thought in theory this one should return all the DATABASE entries and any other occurrence of data and base. I am doing something obvious wrong ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order for them to be similar, you need to use (DATA* AND *BASE). You would very much benefit from examining the lispy generated (the internal Splunk DB language) for each of your searches. Run a search, then after it is done, towards the right above the histogram is a Job menu. Click that and select Inspect job. This will open a new window with useful information, but not the lispy. At the top of this window is a search log link. Click that and search for lispy. Dig and learn.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if I am correct, there is quite a difference here.
Searching for "database" will return events with the term "database". Whereas searching for DATA AND BASE will only return events with the terms data and base.
You would need to specify wildcards in order to get everything that contains the term data, like "*data*". "data*" etc.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thanks for you answer
But if I am searching for DATA and BASE does this not in theory mean that all the entries for DATABASE will be picked up by this search. As DATEBASE contains DATA and BASE
But this is not what I am seeing DATABASE is yelding more results the (DATA AND BASE)
if I have say a string like manchesteruniteduseDATAwhentheyareplayinggamestogiveaBASE
and I search for (DATA AND BASE) it not also going to pick it up
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, think of it like SQL (if you know this language).
If you search for something like this:
WHERE x LIKE "DATA" OR "BASE"
this will only return events where x = DATA or x = BASE, but it will NOT return events with x = DATABASE.
Because then, you would need to define wildcards, something like this:
WHERE x LIKE "DATA%" OR "%BASE"
So, searching for "base" AND "data" will not return database, if it is one term without a space.
Is it clearer now?
Searching for (DATA* AND *BASE) should return all the events you want.
Skalli
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
