Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using AND, OR to find 2 `devices` where i want to filter in some of the `adj` on each device.

HattrickNZ
Motivator
‎05-29-2018 01:58 PM

I am trying to just show the devices that are X and Y
and the devices that are X and have adj that meet this filter string1
and the devices that are Y and have adj that meet this filter string2 and string3

So basically or in other words I am trying to find 2 devices where i want to filter in some of the adj on each device.

Then I wnat to do a timechart after this, I am just doing stats first to ensure I am looking at the correct filtered options.

This is my search: 

index=snmp_stats sourcetype=snmp_collector_log  
device=X AND adj="*string1*" OR
device=Y AND adj="*string2" OR adj="*string3*" OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device

And this give me this table: (e.g. string1 would be any adj that met that filter - same for string2 and string3 below)

device values(adj)
X *string1*
  *string1*
  *string1*
  ...

This is what I want the below table: 

device values(adj)
X *string1*
  *string1*
  *string1*
  ...
Y *string2*
  *string3*
  ...

NOTE: I would like to provide sample data but I don't think I can in this case, but I may look into this.

Other Q's I am looking at
https://answers.splunk.com/answers/240884/how-to-properly-use-and-or-in-search.html
https://answers.splunk.com/answers/120097/query-on-using-and-or.html

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:27 PM

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2018 02:27 PM

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎05-29-2018 03:03 PM

thanks, I came to that myself, but I had to omit one of the ORs you have as kpi1 was tied to device=Z, and I did not want device =Z
I also used double quotes but I don't think that makes a difference only where I was using the wildcards(*)

This works:

index=snmp_stats sourcetype=snmp_collector_log  
(device="X" AND adj="*string1*") OR (device="Y" AND adj="*string2*" OR adj="*string3*")
kpi1 OR
kpi2 OR
kpi3 OR
kpi4
| stats values(adj) by device
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...