Splunk Search

AND OR Boolean Operators

MeMilo09
Path Finder

Hello,

 

I have a small dilema around AND OR boolean operators. I dont want null time logs for event=timeOut, but at the same time I also want the null values for event=timeOut because I need that info too. Would like to know if using OR instead of AND in the where clause would do that for me?

 

index="mvp.sl.idx"

| eval DeliverToService=case(event="timeOut", logTime)
| eval NullDeliverToService=case(event,"timeOut", logTime)

| stats values(DeliverToService) as  DeliverToService values(NullDeliverToService) as NullDeliverToService

| where isNotNull(DeliverToService) OR isNull(NullDeliverToService)

 

  

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Not entirely clear what you are trying to do here. The case statement in the second eval doesn't look like valid syntax. However, assuming it is supposed to be event="timeout", both DeliverToService and NullDeliverToService will be identical, so if the where clause has an AND instead of OR, you will get no results as the two lists of values generated by the stats command will either both be null or both contain the same values. This doesn't sound like what you are trying to achieve?

View solution in original post

MeMilo09
Path Finder

@ITWhisperer 

Thank you, I only keep one eval and what I will do is also just keep 1 where clause, so I will do the below. In doing so I will exclude the null values too for DeliverToService.  What I was trying to do at first was have seperate columns one for null values and one for isNotNull values - but I was just getting the same data for both columns. 

index="mvp.sl.idx"

| eval DeliverToService=case(event="timeOut", logTime)

| stats values(DeliverToService) as  DeliverToService 

| where isNotNull(DeliverToService) 
 

  

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not entirely clear what you are trying to do here. The case statement in the second eval doesn't look like valid syntax. However, assuming it is supposed to be event="timeout", both DeliverToService and NullDeliverToService will be identical, so if the where clause has an AND instead of OR, you will get no results as the two lists of values generated by the stats command will either both be null or both contain the same values. This doesn't sound like what you are trying to achieve?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...