Solved: How to phrase a search to find results if two cond...

beans123 · ‎06-01-2023

I am new to using Splunk and having some difficulties with the search query logic. I want to create a dashboard that displays the results of a condition being met, only if another condition is true. Example: if "PropertyOne"=true and "PropertyTwo"=5, return the instances where both of these conditions are met. I have tried using the if, match, and case functions, but I do not think I am using them correctly.

Search formats I've tried:

eval err=if("PropertyOne"=true, "PropertyTwo"=5)

if("PropertyOne"=false AND "PropertyTwo"=5)

eval err=if(match("PropertyOne"=false AND "PropertyTwo"=5), 1,0) <-- Here I added 1 and 0 because I didn't know what else to put in the other two slots needed for the "if" function.

eval err=case("PropertyOne"=true AND "PropertyTwo"=5)

richgalloway · ‎06-01-2023

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0)
| where result=1

| where (PropertyOne=5 AND PropertyTwo=0)

| search PropertyOne=5 AND PropertyTwo=0

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-01-2023

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0)
| where result=1

| where (PropertyOne=5 AND PropertyTwo=0)

| search PropertyOne=5 AND PropertyTwo=0

---
If this reply helps you, Karma would be appreciated.

How to phrase a search to find results if two conditions are met?

chart

other

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7