Solved: Multiple WHERE's in Query

inovexsean · ‎02-19-2019

I'm trying to write an ANTLR grammar for Splunk queries and an example of the queries that my system receives is as follows :

...|append[|tstats count where (index=accm_*) earliest=1d@d latest=now where (index=accm_*) siteId="my_site",selectors{}.categories{}=* by selectors{}.categories{}|...

I do not see in the documentation how the previous statement could have where specified twice. Could someone please explain this to me?

woodcock · ‎03-07-2019

That is not valid syntax. Replace the second where with AND.

View solution in original post

woodcock · ‎03-07-2019

That is not valid syntax. Replace the second where with AND.

inovexsean · ‎03-07-2019

Thanks. That was my suspicion, but I'm not familiar enough with the QL to be certain. The queries are written by other people and we're just auditing them.

FrankVl · ‎03-07-2019

Not entirely sure what your on about either, but that second where doesn't make any sense there, same for the , after siteId="my_site".

woodcock · ‎03-06-2019

Um ... .... ....... ? Please rephrase with 500% more text at a minimum.

Multiple WHERE's in Query

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?