Solved: How to phrase a search to find results if two cond...

beans123 · ‎06-01-2023

I am new to using Splunk and having some difficulties with the search query logic. I want to create a dashboard that displays the results of a condition being met, only if another condition is true. Example: if "PropertyOne"=true and "PropertyTwo"=5, return the instances where both of these conditions are met. I have tried using the if, match, and case functions, but I do not think I am using them correctly.

Search formats I've tried:

eval err=if("PropertyOne"=true, "PropertyTwo"=5)

if("PropertyOne"=false AND "PropertyTwo"=5)

eval err=if(match("PropertyOne"=false AND "PropertyTwo"=5), 1,0) <-- Here I added 1 and 0 because I didn't know what else to put in the other two slots needed for the "if" function.

eval err=case("PropertyOne"=true AND "PropertyTwo"=5)

richgalloway · ‎06-01-2023

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0)
| where result=1

| where (PropertyOne=5 AND PropertyTwo=0)

| search PropertyOne=5 AND PropertyTwo=0

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-01-2023

There are a few ways to do that, depending on what you want to do with the condition.

| eval result=if(PropertyOne=5 AND PropertyTwo=0, 1, 0)
| where result=1

| where (PropertyOne=5 AND PropertyTwo=0)

| search PropertyOne=5 AND PropertyTwo=0

---
If this reply helps you, Karma would be appreciated.

How to phrase a search to find results if two conditions are met?

chart

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!