Solved: filter using where command with AND & OR operators...

man03359

I have two fields (lets say.) AA and BB, I am trying to filter our results where AA and BB = 00 OR 10 using something like this -

index="idx-some-index" sourcetype="dbx" source="some.*.source"
| where (AA AND BB)== (00 OR 10)

But I am getting error as Error in 'where' command: Type checking failed. 'AND' only takes boolean arguments.

I have also tried -

index="idx-some-index" sourcetype="dbx" source="some.*.source"
| where AA =(00 OR 10) AND (BB=(OO OR 10))

But I am getting same error as Type checking failed. 'OR' only takes boolean arguments.

Please help!

man03359

Nevermind!

I was able to get the desired output by using -

| where (AA ="00" OR AA="10") OR (BB="00" OR BB="10")

scelikok

You can use the below syntax;

index="idx-some-index" sourcetype="dbx" source="some.*.source" AA IN (00,10) BB IN (00,10)

or

index="idx-some-index" sourcetype="dbx" source="some.*.source" (AA=00 OR AA=10) (BB=00 OR BB=10)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

man03359

@scelikok Yes I tried out with -

|where AA IN ('00','10') AND BB IN ('00','10')

But it was not giving any output, but the second one did worked :0

Thanks 🙂

man03359

Nevermind!

I was able to get the desired output by using -

| where (AA ="00" OR AA="10") OR (BB="00" OR BB="10")

filter using where command with AND & OR operators.