Splunk Search

How to phrase a search to find results if two conditions are met?

beans123
Engager

I am new to using Splunk and having some difficulties with the search query logic. I want to create a dashboard that displays the results of a condition being met, only if another condition is true. Example: if "PropertyOne"=true and "PropertyTwo"=5, return the instances where both of these conditions are met. I have tried using the if, match, and case functions, but I do not think I am using them correctly.  

Search formats I've tried:

eval err=if("PropertyOne"=true, "PropertyTwo"=5)

if("PropertyOne"=false AND "PropertyTwo"=5)

eval err=if(match("PropertyOne"=false AND "PropertyTwo"=5), 1,0) <-- Here I added 1 and 0 because I didn't know what else to put in the other two slots needed for the "if" function.

eval err=case("PropertyOne"=true AND "PropertyTwo"=5)

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0)
| where result=1

| where (PropertyOne=5 AND PropertyTwo=0)

| search PropertyOne=5 AND PropertyTwo=0
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0)
| where result=1

| where (PropertyOne=5 AND PropertyTwo=0)

| search PropertyOne=5 AND PropertyTwo=0
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...