Re: Searching with AND OR

jlaigo2 · ‎01-29-2013

I am trying to setup a dashboard with the following example search. What I need to do is have both id and or name, I tried it with just OR but if it matches on the first it will not continue on the second and it breaks with AND OR...?

index=someindex id=* AND OR name=*

markthompson · ‎02-23-2015

lpolo has the correct answer, but I thought I'd clarify a bit.

The operators match criteria, so:

AND - is used in the format if(id=? AND name=?,TRUE, FALSE) so both criteria, working on a boolean basis, should return 1, then it will carry on and return true.

OR - is used in the format if(id=? OR name=?, TRUE, FALSE) so it will continue if either of the fields match

What you're attempting to do, is to check if the ID matches, or the name matches, then you wish to display the ID and the Name, so you should be using the OR; index=yourindex id=? OR name=? | table _time, id, name

Hope that cleared things up.

lpolo · ‎01-29-2013

with AND you get this result set

id | name | expected result
----------------------------
no | no | none are reported
yes | no | none are reported
no| yes | none are reported
yes | yes | Both are reported

OR

id | name | expected result
----------------------------------
no | no | none are reported
yes | no | id is reported
no| yes | name is reported
yes | yes | Both  name and id are reported

Based on these premises you want to use OR

index=someindex id OR name|table _time id name

Searching with AND OR

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation