Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

OR statement with results from DBXquery

DarthHerm
Explorer
‎11-17-2025 02:15 PM

Hopefully this makes some sense.  

I am working on a dashboard that pulls up activity when someone clicks on the details on a note.  The event log lists the note id number but it not tied to the product page the user is on. 

Leveraging dbxquery, I have a query that generates me the Note Ids for the Product page. Pending on the product, there could be just a handful or several hundred. 

with the results of the dbxquery, is it possible to take those results and have it as a large OR statement? I considered making the noteid as a seperate drop down in my dashboard but the problem with multiple hundred notes to a specific product makes it difficult. I want to in the dashboard to show when a user with the product selected to see when they clicked on the details of that product's notes. Right now I have it show all the notes a user pulls up. 

dbxquery (sanitzed)
| dbxquery query="SELECT o.[CandyNoteInfoId] ,n.[CandyNoteId] ,o.[ProductId] ,o.[NoteTypeId] ,o.[StaffId] as userId ,o.[UpdateUserId] ,n.[Details] FROM [DataBase_Name].[ind].[CandyNoteInfo] o left join [DataBase_Name].[ind].[CandyNote] n on o.[CandyNoteInfoId] = n.[CandyNoteInfoId] where ProductId = 12345" connection="Confection"
|stats count by CandyNoteInfoId

Current search without the DBXquery results. 
index="index_name" userName=pvenkman module="Vendor.Product.BLL.Candy" storedProcedureName=CandyNoteInfoGetById
| dedup _time
| eval newtime=strftime(_time,"%b %d, %Y %I:%M:%S %p %Z")
| table newtime userName serverHost CandyNoteInfoId storedProcedureName
| rename newtime AS "Date and time" userName AS "Username" serverHost AS "Atlas server" CandyNoteInfoId AS "SQL Candy note info id number" storedProcedureName AS "Stored procedure name"


Raw text of event log (sanitized)

{"auditResultSets":null,"schema":"ind","storedProcedureName":"CandyNoteInfoGetById","commandText":"ind.CandyNoteInfoGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@CandyNoteInfoId","value":15979125}],"serverIPAddress":"000.000.000.000","serverHost":"webserver","clientIPAddress":"111.111.111.111","sourceSystem":"WebSite","module":"Vendor.Product.BLL.Candy","accessDate":"2025-11-14T12:52:15.1335635-07:00","userId":1984,"userName":"pvenkman","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.Client.NotesDetails","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.Candy.CandyNoteInfoManager","method":"Get"}]}

Syntax highlighted
{ [-]
auditResultSets: null,
schema: "ind",
storedProcedureName: "CandyNoteInfoGetById",
commandText: "ind.CandyNoteInfoGetById",
Locking: null,
commandType: 4,
parameters: [ [-]
{ [-]
name: "@RETURN_VALUE",
value: 0
},
{ [-]
name: "@CandyNoteInfoId",
value: 15979125
}
],
serverIPAddress: "000.000.000.000",
serverHost: "webserver",
clientIPAddress: "111.111.111.111",
sourceSystem: "WebSite",
module: "Vendor.Product.BLL.Candy",
accessDate: "2025-11-14T12:52:15.1335635-07:00",
userId: 1984,
userName: "pvenkman",
traceInformation: [ [-]
{ [-]
type: "Page",
class: "Vendor.Product.Web.UI.Website.Client.NotesDetails",
method: "Page_Load"
},
{ [-]
type: "Manager",
class: "Vendor.Product.BLL.Candy.CandyNoteInfoManager",
method: "Get"
}
]
}

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-17-2025 04:20 PM

You can get the format statement to create an OR query with a multivalue field, is this something you can use

...
| stats values(CandyNoteInfoId) as search
| format

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-17-2025 04:20 PM

You can get the format statement to create an OR query with a multivalue field, is this something you can use

...
| stats values(CandyNoteInfoId) as search
| format
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎11-17-2025 03:05 PM

Hi @DarthHerm 

I started to look into this but hit a stumbling block.

You can get a subquery to return an OR using the 'return' command, such as:

| makeresults count=2 | eval product=123 | streamstats count as CandyNoteInfoId | return 100 CandyNoteInfoId

livehybrid_0-1763420106129.png

 

You would ensure that the fieldname returned matches the field in your wider search and then apply this as a subsearch by placing in square braces ([ ]) as part of your main search - however in your data I cannot see a CandyNoteInfoId field, I can only see it as part of an object with the name and value in different fields as parameters{}.name, is that right? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...