Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using AND, OR to find 2 `devices` where i want to filter in some of the `adj` on each device.

HattrickNZ
Motivator
‎05-29-2018 01:58 PM

I am trying to just show the devices that are X and Y
and the devices that are X and have adj that meet this filter string1
and the devices that are Y and have adj that meet this filter string2 and string3

So basically or in other words I am trying to find 2 devices where i want to filter in some of the adj on each device.

Then I wnat to do a timechart after this, I am just doing stats first to ensure I am looking at the correct filtered options.

This is my search: 

index=snmp_stats sourcetype=snmp_collector_log  
device=X AND adj="*string1*" OR
device=Y AND adj="*string2" OR adj="*string3*" OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device

And this give me this table: (e.g. string1 would be any adj that met that filter - same for string2 and string3 below)

device values(adj)
X *string1*
  *string1*
  *string1*
  ...

This is what I want the below table: 

device values(adj)
X *string1*
  *string1*
  *string1*
  ...
Y *string2*
  *string3*
  ...

NOTE: I would like to provide sample data but I don't think I can in this case, but I may look into this.

Other Q's I am looking at
https://answers.splunk.com/answers/240884/how-to-properly-use-and-or-in-search.html
https://answers.splunk.com/answers/120097/query-on-using-and-or.html

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:27 PM

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:27 PM

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎05-29-2018 03:03 PM

thanks, I came to that myself, but I had to omit one of the ORs you have as kpi1 was tied to device=Z, and I did not want device =Z
I also used double quotes but I don't think that makes a difference only where I was using the wildcards(*)

This works:

index=snmp_stats sourcetype=snmp_collector_log  
(device="X" AND adj="*string1*") OR (device="Y" AND adj="*string2*" OR adj="*string3*")
kpi1 OR
kpi2 OR
kpi3 OR
kpi4
| stats values(adj) by device
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...