Splunk Search

AND OR Boolean Operators

MeMilo09
Path Finder

Hello,

 

I have a small dilema around AND OR boolean operators. I dont want null time logs for event=timeOut, but at the same time I also want the null values for event=timeOut because I need that info too. Would like to know if using OR instead of AND in the where clause would do that for me?

 

index="mvp.sl.idx"

| eval DeliverToService=case(event="timeOut", logTime)
| eval NullDeliverToService=case(event,"timeOut", logTime)

| stats values(DeliverToService) as  DeliverToService values(NullDeliverToService) as NullDeliverToService

| where isNotNull(DeliverToService) OR isNull(NullDeliverToService)

 

  

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Not entirely clear what you are trying to do here. The case statement in the second eval doesn't look like valid syntax. However, assuming it is supposed to be event="timeout", both DeliverToService and NullDeliverToService will be identical, so if the where clause has an AND instead of OR, you will get no results as the two lists of values generated by the stats command will either both be null or both contain the same values. This doesn't sound like what you are trying to achieve?

View solution in original post

MeMilo09
Path Finder

@ITWhisperer 

Thank you, I only keep one eval and what I will do is also just keep 1 where clause, so I will do the below. In doing so I will exclude the null values too for DeliverToService.  What I was trying to do at first was have seperate columns one for null values and one for isNotNull values - but I was just getting the same data for both columns. 

index="mvp.sl.idx"

| eval DeliverToService=case(event="timeOut", logTime)

| stats values(DeliverToService) as  DeliverToService 

| where isNotNull(DeliverToService) 
 

  

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not entirely clear what you are trying to do here. The case statement in the second eval doesn't look like valid syntax. However, assuming it is supposed to be event="timeout", both DeliverToService and NullDeliverToService will be identical, so if the where clause has an AND instead of OR, you will get no results as the two lists of values generated by the stats command will either both be null or both contain the same values. This doesn't sound like what you are trying to achieve?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...