Why is multiple OR not working as expected with AN...

hgoyal · ‎08-08-2023

Hi Everyone,

I have a requirement to implement a search query where I have 3 unique values and one common value

3 unique values-> A, B, C

1 Common Value-> D

I am doing something like (A and D) OR (B and D) OR (C and D) but it is not giving any search result but it should give as (C and D ) is true.

@gcusello if is possible can you help?

wmuselle · ‎08-08-2023

no result? , make sure your AND and OR are uppercase.
also as @ITWhisperer said combining your ORs should work.

are these stored in 2 fields or just 1?

hgoyal · ‎08-08-2023

There is a single field on which these values are matched. Bucket Name

ITWhisperer · ‎08-08-2023

In general, ANDs and ORs work as expected, which means there must be something specific about your scenario for it to not work. Without the specifics, e.g. actual (anonymised) examples, it is going to be difficult to help you further.

hgoyal · ‎08-08-2023

Hello,

I think I know why it is not working. I was trying to make AND work on different events .

For example one event has A value
And there is another event with B value
And I am trying to apply multiple AND and OR between different events .

Is there anyway to apply AND and OR between 2 different events and their values ?

ITWhisperer · ‎08-08-2023

The simple answer is no - Splunk works on a pipeline of events, so each comparison applies to one event at a time. Having said that, there are ways to combine events into single events, to which comparisons can be applied, and also ways to combine values from other events, so that cross-event comparisons can be made. It depends on your usecase.

hgoyal · ‎08-09-2023

Hi,
I tried to combine two different eventtype events in one single event.

Eventtype = First and Eventtype =Second

eventtype="First " OR eventtype="Second "| transaction eventtype maxspan=1s | eval combined_event()=mvjoin(event, " ") | table combined_event

But it group the events of First and Second it didnt added FIRST+Second into single eventtype is this possible?

ITWhisperer · ‎08-09-2023

No, using transaction eventtype will separate groups of events by eventtype so First and Second will be in different event (groups). Perhaps, instead of talking in generic terms, with you introducing additional variables to your usecase, it might be useful if you describe your exact usecase in more detail. What exactly are you trying to do?

hgoyal · ‎08-09-2023

Okay. I have one variable say bucket_name. It exists in eventtype ->First and eventtype->Second

So this is a common field in both the eventtype.

But I want to combine these both events so that I have both the bucket names into single eventtype.

And that's why I was trying to perform OR and AND operator. TO extract bucket name value .

My use case is I want to Search only the bucketnames which exists with some other specific bucket names using search keyword

ITWhisperer · ‎08-09-2023

This still isn't clear - do you have the same bucket_name in two different events, one of event type "First" and the other of event type "Second"; or, events of type "First" with different bucket_names and events of type "Second" with a different set of bucket_names?

Please share some sample (anonymised) events to make this clearer.

ITWhisperer · ‎08-08-2023

What you have should work, although you could try (A or B or C) AND D.

Can you share some events which you think should be being picked up which aren't?

Why is multiple OR not working as expected with AND clause in search query?

search job inspector

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk