Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using AND, OR to find 2 `devices` where i want to filter in some of the `adj` on each device.

HattrickNZ
Motivator
‎05-29-2018 01:58 PM

I am trying to just show the devices that are X and Y
and the devices that are X and have adj that meet this filter string1
and the devices that are Y and have adj that meet this filter string2 and string3

So basically or in other words I am trying to find 2 devices where i want to filter in some of the adj on each device.

Then I wnat to do a timechart after this, I am just doing stats first to ensure I am looking at the correct filtered options.

This is my search: 

index=snmp_stats sourcetype=snmp_collector_log  
device=X AND adj="*string1*" OR
device=Y AND adj="*string2" OR adj="*string3*" OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device

And this give me this table: (e.g. string1 would be any adj that met that filter - same for string2 and string3 below)

device values(adj)
X *string1*
  *string1*
  *string1*
  ...

This is what I want the below table: 

device values(adj)
X *string1*
  *string1*
  *string1*
  ...
Y *string2*
  *string3*
  ...

NOTE: I would like to provide sample data but I don't think I can in this case, but I may look into this.

Other Q's I am looking at
https://answers.splunk.com/answers/240884/how-to-properly-use-and-or-in-search.html
https://answers.splunk.com/answers/120097/query-on-using-and-or.html

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:27 PM

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:27 PM

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎05-29-2018 03:03 PM

thanks, I came to that myself, but I had to omit one of the ORs you have as kpi1 was tied to device=Z, and I did not want device =Z
I also used double quotes but I don't think that makes a difference only where I was using the wildcards(*)

This works:

index=snmp_stats sourcetype=snmp_collector_log  
(device="X" AND adj="*string1*") OR (device="Y" AND adj="*string2*" OR adj="*string3*")
kpi1 OR
kpi2 OR
kpi3 OR
kpi4
| stats values(adj) by device
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...