Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- AND OR not working correctly
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AND OR not working correctly
davidcraven02
Communicator
01-05-2018
11:48 AM
I am getting the below error when trying to form an AND & OR in my query.
Error in 'eval' command: The expression is malformed. Expected ).
My eval is below:
| eval Action=if((MonitoringStatus="Not Monitored") AND(like(Path,"%Hosting%")
AND Location="Varonis"
OR(7DayBackUpStatus="Not Backed Up") "Action Required","No Action Required")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-05-2018
12:13 PM
Hey
Try this !
| eval Action=if(((MonitoringStatus="Not Monitored") AND (like(Path,"%Hosting%")) AND Location="Varonis" OR '7DayBackUpStatus'="Not Backed Up"), "Action Required", "No Action Required")
Let me know if this helps you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidcraven02
Communicator
01-05-2018
12:39 PM
Sorry I marked this accepted prematurely. it doesn't seem the OR statement is kicking in as there are more than 50 rows of data that are listed as 'Not Backed Up'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micahkemp
Champion
01-05-2018
12:51 PM
I've updated my answer to also take into consideration two alternate searches (grouped AND/OR with parentheses to make it more clear) that may correct your logic issue as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-05-2018
12:49 PM
I do not know how to deal with fieldname starting with a number i may be wrong
Can you change the fieldname to sevendaybackupstatus
| eval Action=if(((MonitoringStatus="Not Monitored") AND (like(Path,"%Hosting%")) AND Location="Varonis" OR sevendaybackupstatus="Not Backed Up"), "Action Required", "No Action Required")
OR
Try this
| rename “7DayBackUpStatus” as sevendaybackupstatus | eval Action=if(((MonitoringStatus="Not Monitored") AND (like(Path,"%Hosting%")) AND Location="Varonis" OR sevendaybackupstatus="Not Backed Up"), "Action Required", "No Action Required")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micahkemp
Champion
01-05-2018
11:59 AM
The field name that starts with the number 7 needs to be in single quotes:
| eval Action=if(
(MonitoringStatus="Not Monitored")
AND (
like(Path,"%Hosting%")
AND Location="Varonis"
OR '7DayBackUpStatus'="Not Backed Up"
), "Action Required", "No Action Required")
I suggest putting parentheses when you mix AND and OR. I'm not sure what your intent might be, but you may consider one of these variants:
| eval Action=if(
(MonitoringStatus="Not Monitored")
AND (
(like(Path,"%Hosting%") AND Location="Varonis")
OR '7DayBackUpStatus'="Not Backed Up"
), "Action Required", "No Action Required")
| eval Action=if(
(MonitoringStatus="Not Monitored")
AND (
like(Path,"%Hosting%")
AND (Location="Varonis" OR '7DayBackUpStatus'="Not Backed Up")
), "Action Required", "No Action Required")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-05-2018
11:58 AM
Try this (you're missing a closing braces on conditions and command before "Action Required")
| eval Action=if((MonitoringStatus="Not Monitored") AND
( like(Path,"%Hosting%") AND Location="Varonis" OR (7DayBackUpStatus="Not Backed Up")), "Action Required","No Action Required")
Get Updates on the Splunk Community!
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
