Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

OR conditional combination show less events

jnahuelperez35
Path Finder
‎01-01-2017 01:13 PM

Hi Guys! It's me again!
A few days ago i was asking how can i eval some fields and get the total from them. Now i want to show those in a table format and for that, i made this search:

index=MY_INDEX (FIRST_ACT=5 AND SECOND_ACT=2) OR (FIRST_ACT=5 and SECOND_ACT=4 and STAT_FLAG=0) OR (FIRST_ACT=5 and SECOND_ACT=4 and STAT_FLAG=4).

This search returns 10 events, but, in fact, there 14 events. How i know that? Because i have another panel that show's me the same events, but with and eval expression and a Single Value accumulation:

MySearch | eval UTCOD=if((FIRST_ACT=5 and SECOND_ACT=2), 1, 0) | eval UTCOQ=if((FIRST_ACT=5) and (SECOND_ACT=4) and (STAT_FLAG=0), 1, 0) | eval UTSQ=if((FIRST_ACT=5) and (SECOND_ACT=4) and (STAT_FLAG=4), 1, 0) |  eval all_UT=UTCOD+UTCOQ+UTSQ | status sum(all_UT) as total

So ...why is that? Why when i search with OR conditional the result is 10, but when the search is made with EVAL founds 14 events?

Thanks a lot for help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2017 01:19 PM

I think the order in which each expression is evaluated may be affecting the results. Try this.

index=MY_INDEX ((FIRST_ACT=5 AND SECOND_ACT=2) OR (FIRST_ACT=5 AND SECOND_ACT=4 AND STAT_FLAG=0) OR (FIRST_ACT=5 AND SECOND_ACT=4 AND STAT_FLAG=4))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2017 01:19 PM

I think the order in which each expression is evaluated may be affecting the results. Try this.

index=MY_INDEX ((FIRST_ACT=5 AND SECOND_ACT=2) OR (FIRST_ACT=5 AND SECOND_ACT=4 AND STAT_FLAG=0) OR (FIRST_ACT=5 AND SECOND_ACT=4 AND STAT_FLAG=4))
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jnahuelperez35
Path Finder
‎01-01-2017 01:34 PM

OMG!...i feel so noob... All i need was a couple "()" to group all the conditional expression... And i swear that try with that, but surely in the wrong way.

You answer is the solution!

Thanks a lot RichGalloway! Happy New Year from Argentina!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...