Splunk Search

Using AND, OR to find 2 `devices` where i want to filter in some of the `adj` on each device.

HattrickNZ
Motivator

I am trying to just show the devices that are X and Y
and the devices that are X and have adj that meet this filter string1
and the devices that are Y and have adj that meet this filter string2 and string3

So basically or in other words I am trying to find 2 devices where i want to filter in some of the adj on each device.

Then I wnat to do a timechart after this, I am just doing stats first to ensure I am looking at the correct filtered options.

This is my search:

index=snmp_stats sourcetype=snmp_collector_log  
device=X AND adj="*string1*" OR
device=Y AND adj="*string2" OR adj="*string3*" OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device

And this give me this table: (e.g. string1 would be any adj that met that filter - same for string2 and string3 below)

device values(adj)
X *string1*
  *string1*
  *string1*
  ...

This is what I want the below table:

device values(adj)
X *string1*
  *string1*
  *string1*
  ...
Y *string2*
  *string3*
  ...

NOTE: I would like to provide sample data but I don't think I can in this case, but I may look into this.

Other Q's I am looking at
https://answers.splunk.com/answers/240884/how-to-properly-use-and-or-in-search.html
https://answers.splunk.com/answers/120097/query-on-using-and-or.html

Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, Karma would be appreciated.

HattrickNZ
Motivator

thanks, I came to that myself, but I had to omit one of the ORs you have as kpi1 was tied to device=Z, and I did not want device =Z
I also used double quotes but I don't think that makes a difference only where I was using the wildcards(*)

This works:

index=snmp_stats sourcetype=snmp_collector_log  
(device="X" AND adj="*string1*") OR (device="Y" AND adj="*string2*" OR adj="*string3*")
kpi1 OR
kpi2 OR
kpi3 OR
kpi4
| stats values(adj) by device
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...