Splunk Search

Using AND, OR to find 2 `devices` where i want to filter in some of the `adj` on each device.

Motivator

I am trying to just show the devices that are X and Y
and the devices that are X and have adj that meet this filter string1
and the devices that are Y and have adj that meet this filter string2 and string3

So basically or in other words I am trying to find 2 devices where i want to filter in some of the adj on each device.

Then I wnat to do a timechart after this, I am just doing stats first to ensure I am looking at the correct filtered options.

This is my search:

index=snmp_stats sourcetype=snmp_collector_log  
device=X AND adj="*string1*" OR
device=Y AND adj="*string2" OR adj="*string3*" OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device

And this give me this table: (e.g. string1 would be any adj that met that filter - same for string2 and string3 below)

device values(adj)
X *string1*
  *string1*
  *string1*
  ...

This is what I want the below table:

device values(adj)
X *string1*
  *string1*
  *string1*
  ...
Y *string2*
  *string3*
  ...

NOTE: I would like to provide sample data but I don't think I can in this case, but I may look into this.

Other Q's I am looking at
https://answers.splunk.com/answers/240884/how-to-properly-use-and-or-in-search.html
https://answers.splunk.com/answers/120097/query-on-using-and-or.html

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

I think some parens will help. Try this:

index=snmp_stats sourcetype=snmp_collector_log  
(device=X AND adj="*string1*") OR
(device=Y AND adj="*string2" OR adj="*string3*") OR
kpi1 OR 
kpi2 OR 
kpi3 OR 
kpi4
| stats values(adj) by device
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Motivator

thanks, I came to that myself, but I had to omit one of the ORs you have as kpi1 was tied to device=Z, and I did not want device =Z
I also used double quotes but I don't think that makes a difference only where I was using the wildcards(*)

This works:

index=snmp_stats sourcetype=snmp_collector_log  
(device="X" AND adj="*string1*") OR (device="Y" AND adj="*string2*" OR adj="*string3*")
kpi1 OR
kpi2 OR
kpi3 OR
kpi4
| stats values(adj) by device
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!