Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

OR statement with results from DBXquery

DarthHerm
Explorer
a month ago

Hopefully this makes some sense.  

I am working on a dashboard that pulls up activity when someone clicks on the details on a note.  The event log lists the note id number but it not tied to the product page the user is on. 

Leveraging dbxquery, I have a query that generates me the Note Ids for the Product page. Pending on the product, there could be just a handful or several hundred. 

with the results of the dbxquery, is it possible to take those results and have it as a large OR statement? I considered making the noteid as a seperate drop down in my dashboard but the problem with multiple hundred notes to a specific product makes it difficult. I want to in the dashboard to show when a user with the product selected to see when they clicked on the details of that product's notes. Right now I have it show all the notes a user pulls up. 

dbxquery (sanitzed)
| dbxquery query="SELECT o.[CandyNoteInfoId] ,n.[CandyNoteId] ,o.[ProductId] ,o.[NoteTypeId] ,o.[StaffId] as userId ,o.[UpdateUserId] ,n.[Details] FROM [DataBase_Name].[ind].[CandyNoteInfo] o left join [DataBase_Name].[ind].[CandyNote] n on o.[CandyNoteInfoId] = n.[CandyNoteInfoId] where ProductId = 12345" connection="Confection"
|stats count by CandyNoteInfoId

Current search without the DBXquery results. 
index="index_name" userName=pvenkman module="Vendor.Product.BLL.Candy" storedProcedureName=CandyNoteInfoGetById
| dedup _time
| eval newtime=strftime(_time,"%b %d, %Y %I:%M:%S %p %Z")
| table newtime userName serverHost CandyNoteInfoId storedProcedureName
| rename newtime AS "Date and time" userName AS "Username" serverHost AS "Atlas server" CandyNoteInfoId AS "SQL Candy note info id number" storedProcedureName AS "Stored procedure name"


Raw text of event log (sanitized)

{"auditResultSets":null,"schema":"ind","storedProcedureName":"CandyNoteInfoGetById","commandText":"ind.CandyNoteInfoGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@CandyNoteInfoId","value":15979125}],"serverIPAddress":"000.000.000.000","serverHost":"webserver","clientIPAddress":"111.111.111.111","sourceSystem":"WebSite","module":"Vendor.Product.BLL.Candy","accessDate":"2025-11-14T12:52:15.1335635-07:00","userId":1984,"userName":"pvenkman","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.Client.NotesDetails","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.Candy.CandyNoteInfoManager","method":"Get"}]}

Syntax highlighted
{ [-]
auditResultSets: null,
schema: "ind",
storedProcedureName: "CandyNoteInfoGetById",
commandText: "ind.CandyNoteInfoGetById",
Locking: null,
commandType: 4,
parameters: [ [-]
{ [-]
name: "@RETURN_VALUE",
value: 0
},
{ [-]
name: "@CandyNoteInfoId",
value: 15979125
}
],
serverIPAddress: "000.000.000.000",
serverHost: "webserver",
clientIPAddress: "111.111.111.111",
sourceSystem: "WebSite",
module: "Vendor.Product.BLL.Candy",
accessDate: "2025-11-14T12:52:15.1335635-07:00",
userId: 1984,
userName: "pvenkman",
traceInformation: [ [-]
{ [-]
type: "Page",
class: "Vendor.Product.Web.UI.Website.Client.NotesDetails",
method: "Page_Load"
},
{ [-]
type: "Manager",
class: "Vendor.Product.BLL.Candy.CandyNoteInfoManager",
method: "Get"
}
]
}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
a month ago

You can get the format statement to create an OR query with a multivalue field, is this something you can use

...
| stats values(CandyNoteInfoId) as search
| format

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
a month ago

You can get the format statement to create an OR query with a multivalue field, is this something you can use

...
| stats values(CandyNoteInfoId) as search
| format
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
a month ago

Hi @DarthHerm 

I started to look into this but hit a stumbling block.

You can get a subquery to return an OR using the 'return' command, such as:

| makeresults count=2 | eval product=123 | streamstats count as CandyNoteInfoId | return 100 CandyNoteInfoId

livehybrid_0-1763420106129.png

 

You would ensure that the fieldname returned matches the field in your wider search and then apply this as a subsearch by placing in square braces ([ ]) as part of your main search - however in your data I cannot see a CandyNoteInfoId field, I can only see it as part of an object with the name and value in different fields as parameters{}.name, is that right? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...