How to use AND condition?

bhaskar5428 · ‎02-23-2023

index=* "ORC from FCS completed" namespace="dk1371-b"
index=* "ORC from ROUTER completed" namespace="dk1692-b"
index=* "ORC from SDS completed." namespace="dk1399-b"

Above query working fine ,

------------------------------------------------------------------------------------------------------

however when am using below its not providing any data

index=* "ORC from FCS completed" namespace="dk1371-b" AND namespace="dk1399-b"

Because ORC from "" is different for namespaces

i have below problem statement

1. I would like to prepare single query where i can use all namespaces like dk1371-b , dk1399-b etc . . . .

2 . In single search i would like have FCS/SDS
"ORC from FCS completed"
"ORC from SDS completed"

PickleRick · ‎02-24-2023

1. Don't search over index=* unless you really have your data all over your indexes. Limiting by index is one of the most efficient way of improving performance

2. You're using AND whereas it seems that you want OR

("ORC from FCS completed" namespace="dk1371-b") OR 
(index=* "ORC from ROUTER completed" namespace="dk1692-b") OR
(index=* "ORC from SDS completed." namespace="dk1399-b")

bhaskar5428 · ‎02-24-2023

index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b")
| eval dk1692=if(searchmatch("\"ORC from ROUTER completed\" namespace=dk1692-b"),1,0)
| eval dk1399=if(searchmatch("\"ORC from SDS completed\" namespace=dk1399-b"),1,0)
| eval dk1371=if(searchmatch("\"ORC from FCS completed\" namespace=dk1371-b"),1,0)
| stats sum(dk*) as dk*
| search dk1692>90 OR dk1399>60 OR dk1371>60

i would like to save and set this alert , for example if count for dk1692 less than 90 , email alert should receive.

Am able to setup the same as part of individual alert , but how can i setup alert for multiple conditions

is this possible ?

scelikok · ‎02-24-2023

Hi @bhaskar5428,

Please try below;

index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b")
| eval dk1692=if(searchmatch("\"ORC from ROUTER completed\" namespace=dk1692-b"),1,0) 
| eval dk1399=if(searchmatch("\"ORC from SDS completed\" namespace=dk1399-b"),1,0) 
| eval dk1371=if(searchmatch("\"ORC from FCS completed\"  namespace=dk1371-b"),1,0)  
| stats sum(dk*) as dk*
| search dk1692>90 OR dk1399>60 OR dk1371>60

If this reply helps you an upvote and "Accept as Solution" is appreciated.

bhaskar5428 · ‎02-23-2023

Thanks For solution .
actually can i calculate multiple count in single query
my problem statement is i would like to setup alert based on number of result less that for each service.

index=* "ORC from ROUTER completed" namespace="dk1692-b" | stats count --- Count should be90

index=* "ORC from SDS completed." namespace="dk1399-b" | stats count --- Count should be 60

index=* "ORC from FCS completed" namespace="dk1371-b" | stats count -- Count should be 60

so i would like to setup alert based on above , rather that setup 3 different alerts , how can i form single query and manage threshold

scelikok · ‎02-23-2023

Hi @bhaskar5428,

Please try below two options,

index=* ("ORC from FCS completed" OR "ORC from SDS completed." OR "ORC from ROUTER completed") namespace IN ("dk1692-b","dk1399-b","dk1371-b")

or

index=* "ORC from * completed"  namespace IN ("dk1692-b","dk1399-b","dk1371-b")

If this reply helps you an upvote and "Accept as Solution" is appreciated.

How to use AND condition?

join

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

How to use AND condition?

join

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency