- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- AND OR Boolean Operators
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello,
I have a small dilema around AND OR boolean operators. I dont want null time logs for event=timeOut, but at the same time I also want the null values for event=timeOut because I need that info too. Would like to know if using OR instead of AND in the where clause would do that for me?
index="mvp.sl.idx"
| eval DeliverToService=case(event="timeOut", logTime)
| eval NullDeliverToService=case(event,"timeOut", logTime)
| stats values(DeliverToService) as DeliverToService values(NullDeliverToService) as NullDeliverToService
| where isNotNull(DeliverToService) OR isNull(NullDeliverToService)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Not entirely clear what you are trying to do here. The case statement in the second eval doesn't look like valid syntax. However, assuming it is supposed to be event="timeout", both DeliverToService and NullDeliverToService will be identical, so if the where clause has an AND instead of OR, you will get no results as the two lists of values generated by the stats command will either both be null or both contain the same values. This doesn't sound like what you are trying to achieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
@ITWhisperer
Thank you, I only keep one eval and what I will do is also just keep 1 where clause, so I will do the below. In doing so I will exclude the null values too for DeliverToService. What I was trying to do at first was have seperate columns one for null values and one for isNotNull values - but I was just getting the same data for both columns.
index="mvp.sl.idx"
| eval DeliverToService=case(event="timeOut", logTime)
| stats values(DeliverToService) as DeliverToService
| where isNotNull(DeliverToService)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Not entirely clear what you are trying to do here. The case statement in the second eval doesn't look like valid syntax. However, assuming it is supposed to be event="timeout", both DeliverToService and NullDeliverToService will be identical, so if the where clause has an AND instead of OR, you will get no results as the two lists of values generated by the stats command will either both be null or both contain the same values. This doesn't sound like what you are trying to achieve?
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
