- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inovexsean
Explorer
02-19-2019
07:47 AM
I'm trying to write an ANTLR grammar for Splunk queries and an example of the queries that my system receives is as follows :
...|append[|tstats count where (index=accm_*) earliest=1d@d latest=now where (index=accm_*) siteId="my_site",selectors{}.categories{}=* by selectors{}.categories{}|...
I do not see in the documentation how the previous statement could have where specified twice. Could someone please explain this to me?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-07-2019
05:01 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-07-2019
05:01 AM
That is not valid syntax. Replace the second where with AND.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inovexsean
Explorer
03-07-2019
05:33 AM
Thanks. That was my suspicion, but I'm not familiar enough with the QL to be certain. The queries are written by other people and we're just auditing them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
03-07-2019
12:11 AM
Not entirely sure what your on about either, but that second where doesn't make any sense there, same for the , after siteId="my_site".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-06-2019
09:21 PM
Um ... .... ....... ? Please rephrase with 500% more text at a minimum.
