Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

OR statement with results from DBXquery

DarthHerm
Explorer
‎11-17-2025 02:15 PM

Hopefully this makes some sense.  

I am working on a dashboard that pulls up activity when someone clicks on the details on a note.  The event log lists the note id number but it not tied to the product page the user is on. 

Leveraging dbxquery, I have a query that generates me the Note Ids for the Product page. Pending on the product, there could be just a handful or several hundred. 

with the results of the dbxquery, is it possible to take those results and have it as a large OR statement? I considered making the noteid as a seperate drop down in my dashboard but the problem with multiple hundred notes to a specific product makes it difficult. I want to in the dashboard to show when a user with the product selected to see when they clicked on the details of that product's notes. Right now I have it show all the notes a user pulls up. 

dbxquery (sanitzed)
| dbxquery query="SELECT o.[CandyNoteInfoId] ,n.[CandyNoteId] ,o.[ProductId] ,o.[NoteTypeId] ,o.[StaffId] as userId ,o.[UpdateUserId] ,n.[Details] FROM [DataBase_Name].[ind].[CandyNoteInfo] o left join [DataBase_Name].[ind].[CandyNote] n on o.[CandyNoteInfoId] = n.[CandyNoteInfoId] where ProductId = 12345" connection="Confection"
|stats count by CandyNoteInfoId

Current search without the DBXquery results. 
index="index_name" userName=pvenkman module="Vendor.Product.BLL.Candy" storedProcedureName=CandyNoteInfoGetById
| dedup _time
| eval newtime=strftime(_time,"%b %d, %Y %I:%M:%S %p %Z")
| table newtime userName serverHost CandyNoteInfoId storedProcedureName
| rename newtime AS "Date and time" userName AS "Username" serverHost AS "Atlas server" CandyNoteInfoId AS "SQL Candy note info id number" storedProcedureName AS "Stored procedure name"


Raw text of event log (sanitized)

{"auditResultSets":null,"schema":"ind","storedProcedureName":"CandyNoteInfoGetById","commandText":"ind.CandyNoteInfoGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@CandyNoteInfoId","value":15979125}],"serverIPAddress":"000.000.000.000","serverHost":"webserver","clientIPAddress":"111.111.111.111","sourceSystem":"WebSite","module":"Vendor.Product.BLL.Candy","accessDate":"2025-11-14T12:52:15.1335635-07:00","userId":1984,"userName":"pvenkman","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.Client.NotesDetails","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.Candy.CandyNoteInfoManager","method":"Get"}]}

Syntax highlighted
{ [-]
auditResultSets: null,
schema: "ind",
storedProcedureName: "CandyNoteInfoGetById",
commandText: "ind.CandyNoteInfoGetById",
Locking: null,
commandType: 4,
parameters: [ [-]
{ [-]
name: "@RETURN_VALUE",
value: 0
},
{ [-]
name: "@CandyNoteInfoId",
value: 15979125
}
],
serverIPAddress: "000.000.000.000",
serverHost: "webserver",
clientIPAddress: "111.111.111.111",
sourceSystem: "WebSite",
module: "Vendor.Product.BLL.Candy",
accessDate: "2025-11-14T12:52:15.1335635-07:00",
userId: 1984,
userName: "pvenkman",
traceInformation: [ [-]
{ [-]
type: "Page",
class: "Vendor.Product.Web.UI.Website.Client.NotesDetails",
method: "Page_Load"
},
{ [-]
type: "Manager",
class: "Vendor.Product.BLL.Candy.CandyNoteInfoManager",
method: "Get"
}
]
}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-17-2025 04:20 PM

You can get the format statement to create an OR query with a multivalue field, is this something you can use

...
| stats values(CandyNoteInfoId) as search
| format

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-17-2025 04:20 PM

You can get the format statement to create an OR query with a multivalue field, is this something you can use

...
| stats values(CandyNoteInfoId) as search
| format
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎11-17-2025 03:05 PM

Hi @DarthHerm 

I started to look into this but hit a stumbling block.

You can get a subquery to return an OR using the 'return' command, such as:

| makeresults count=2 | eval product=123 | streamstats count as CandyNoteInfoId | return 100 CandyNoteInfoId

livehybrid_0-1763420106129.png

 

You would ensure that the fieldname returned matches the field in your wider search and then apply this as a subsearch by placing in square braces ([ ]) as part of your main search - however in your data I cannot see a CandyNoteInfoId field, I can only see it as part of an object with the name and value in different fields as parameters{}.name, is that right? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...