Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Basic search cleanup - Need a list instead of many "OR" operators

agoktas
Communicator
‎02-12-2015 02:40 PM

Hello you syntax gurus!

This should be simple, but haven't done this yet. 😉

I just want to cleanup some of the 'OR' and provide a list instead within parenthesis (I think it's the way it works). Can you provide a cleaned up example that will search the exactly the same?

index=app_win source=service State=Stopped StartMode=Manual OR StartMode=Auto Name=IBM OR Name=CollabNet OR Name=SVN OR Name=Kofax OR Name=QAS OR Name=FLEXLm Description=IBM OR Description=CollabNet OR Description=SVN OR Description=Kofax OR Description=QAS OR Description=FLEXLm | stats count by Name StartMode host Description | rename Name as "Service Name"

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-13-2015 03:03 PM

Really, "OR" is your only vehicle here. Splunk breaks searches down into basic AND / OR / NOT boolean logic operators. The SPL has no concept of an "IN" operator (even if it would be nice just from a syntactic sugar point of view). There are ways of getting around this though.

  1. Lookups. You can make a lookup and use inputlookup and a subsearch to drag in the values from the lookup. Perhaps not appropriate here, but useful elsewhere.
  2. Macros. Already discussed - hide the complexity for you, but doesn't really simplify it a lot
  3. Tags and eventtypes. You could use a tag like "interesting_service_name" and tag Name=IBM Name=CollabNet and so on with that tag and then search for tag=interesting_service_name. Tags and eventtypes are interesting because they let you encapsulate this type of knowledge in a way that makes dashboards and alert searches much more generic. I have previously done something where I would make an eventtype highlighting a particular error condition, and then tag that eventtype as "alertable". Then, I would schedule a search that simply searched for "tag=alertable", and let Splunk figure out what all eventtypes I had tagged that way and what raw events matched that eventtype. From there, anyone who wanted to add an event to an existing alert trigger would only need to tag it appropriately and things just worked...

TL;DR - tags are cool.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-13-2015 03:03 PM

Really, "OR" is your only vehicle here. Splunk breaks searches down into basic AND / OR / NOT boolean logic operators. The SPL has no concept of an "IN" operator (even if it would be nice just from a syntactic sugar point of view). There are ways of getting around this though.

  1. Lookups. You can make a lookup and use inputlookup and a subsearch to drag in the values from the lookup. Perhaps not appropriate here, but useful elsewhere.
  2. Macros. Already discussed - hide the complexity for you, but doesn't really simplify it a lot
  3. Tags and eventtypes. You could use a tag like "interesting_service_name" and tag Name=IBM Name=CollabNet and so on with that tag and then search for tag=interesting_service_name. Tags and eventtypes are interesting because they let you encapsulate this type of knowledge in a way that makes dashboards and alert searches much more generic. I have previously done something where I would make an eventtype highlighting a particular error condition, and then tag that eventtype as "alertable". Then, I would schedule a search that simply searched for "tag=alertable", and let Splunk figure out what all eventtypes I had tagged that way and what raw events matched that eventtype. From there, anyone who wanted to add an event to an existing alert trigger would only need to tag it appropriately and things just worked...

TL;DR - tags are cool.

Reply
Solved! Jump to solution

agoktas
Communicator
‎02-13-2015 02:30 PM

Aha! I've taken 1 step forward:

index=app_win source=service State=Stopped StartMode (Auto OR Manual)
Name (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm) OR
Description (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm) OR
DisplayName (IBM OR CollabNet OR SVN OR Kofax OR QAS OR FLEXLm)
NOT (Description=Blah1 OR Blah2) | stats count by DisplayName StartMode host Description | rename DisplayName as "Service Name"

This brings up the exact same results, but is a bit cleaner. Now I just need to know how to clean up some of the redundant "OR" operators.

Any thoughts?

Or is this the best (besides creating a macro) we can do with cleanup?

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎02-13-2015 01:06 AM

Hi,

if you want to clean this up, i would move the filter part to a search macro. Lets say we call your macro "my_macro".
Then your search would look like this:

index=app_win source=service `my_macro` | stats count by Name StartMode host Description | rename Name as "Service Name"
Reply
Solved! Jump to solution

agoktas
Communicator
‎02-13-2015 09:38 AM

Macros are definitely an option.

But I thought there was a comma delimited list you can specify to clean up just a little bit. Just to clean up some of the "OR" operators and "field=".

Just a guess (I thought it was something like this)...
Name=(IBM,CollabNet,SVN,Kofax,QAS,FLEXLm)
Description=(IBM,CollabNet,SVN,Kofax,QAS,FLEXLm)

But I tried these and they don't work.

Thanks.

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎02-13-2015 01:03 AM

A simple way of doing this would be to add tags or a lookup to the Name and/or Description fields. If you need matching other than exact match, you could use eventtypes to describe them, and then optionally tag the eventtypes too.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...