Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting several independent AND/OR conditions on single search

jpawloski
Path Finder
‎01-17-2019 03:49 PM

I'm running a search against a single index and sourcetype for events that have slightly different data. I want to set conditions as follows but I can't seem to ever get the second set of conditions read:

 index=this sourcetype=that Field_01=65 (CONNECTION_TYPE=TCP AND ROW_COUNT > 0) OR (CONNECTION_TYPE=FTP AND BYTES_SENT > 0) | ...

When run, I only see the first CONNECTION_TYPE in my events. I would use the CONNECTION_TYPE=THIS OR THAT but I have that field that isn't shared by both sets of conditions. What's the cleanest way to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-17-2019 06:01 PM

Try this (note the insertion of double-quotes and parentheses):

  index=this AND sourcetype="that" AND Field_01="65" AND ((CONNECTION_TYPE="TCP" AND ROW_COUNT > 0) OR (CONNECTION_TYPE="FTP" AND BYTES_SENT > 0))
| ...

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-17-2019 06:01 PM

Try this (note the insertion of double-quotes and parentheses):

  index=this AND sourcetype="that" AND Field_01="65" AND ((CONNECTION_TYPE="TCP" AND ROW_COUNT > 0) OR (CONNECTION_TYPE="FTP" AND BYTES_SENT > 0))
| ...
Reply
Solved! Jump to solution

jpawloski
Path Finder
‎01-18-2019 02:12 PM

I had hoped one day to be graced with a reply from woodcock. That day has come. Thanks man!

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-18-2019 06:36 PM

I do aim to please! Whenever you are mixing AND and OR, you must use parentheses appropriately or you will go off track quickly.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎01-17-2019 04:23 PM

I think that the search sentence is not wrong.
It will be like this.

 index=this AND sourcetype=that AND Field_01=65  
     AND ((CONNECTION_TYPE=TCP AND ROW_COUNT > 0) OR (CONNECTION_TYPE=FTP AND BYTES_SENT > 0) )| ...
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...