Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using multiple OR operators

shiftey
Path Finder
‎05-28-2015 03:50 PM

Hi guys

Im doing a correlation search where Im looking for hostnames and filtering for events I dont want. eg.

sourcetype=dhcplogs where dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4* .....

Is there a more efficient way of grouping multiple OR operators together? Would this help with search processing, or just tidier to read.

Cheers

Tags (2)
Reply

lguinn2
Legend
‎06-19-2017 01:30 PM

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")

Reply

DalJeanis
Legend
‎04-26-2017 08:40 AM

This test will ALWAYS be true...

dest!=Prefix1* OR dest!=Prefix2*

...because...
Prefix1PlusSomeStuff is not equal to Prefix2*, so it meets the second criteria.

Prefix2PlusSomeStuff is not equal to Prefix1*, so it meets the first criteria.

...so, that should be coded in either of the following ways...

 NOT ( dest=Prefix1* OR dest=Prefix2*)

...or...

 (dest!=Prefix1* AND dest!=Prefix2*)
0 Karma
Reply

stephanefotso
Motivator
‎05-28-2015 04:02 PM

Hello!
No, there is not another way to do it. And you don't have to put the where clause. just type your search like this:

sourcetype=dhcplogs  (dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4)

Thanks

SGF
0 Karma
Reply

shiftey
Path Finder
‎05-28-2015 07:32 PM

Ive also tried

replace prefix1* with prefix1 in dest| replace prefix2* with prefix* in dest | where dest!=prefix1 OR dest!=prefix2

however that has 0 results. Im thinking Splunk is not treating prefix1* as a wildcard but a string?

Any more advice is most welcome.

Cheers

0 Karma
Reply

stephanefotso
Motivator
‎05-29-2015 12:10 AM

No. There was an error in my query. That is what to write.

replace prefix1* with prefix1 in dest| replace prefix2* with prefix2 in dest | where dest!=prefix1 OR dest!=prefix2

And, If prefix1* is a string in your events, means, you are not trying to match any caracter, just write

...| where dest!="prefix1*" OR dest!="prefix2*"

Thanks

SGF
0 Karma
Reply

shiftey
Path Finder
‎05-28-2015 04:23 PM

Thanks stephanefotso,

I'm using this in a new correlation search using guided mode. Im at the filter stage of the search creation wizard and have put:

dest!=Prefix1* OR dest!=Prefix2*

yet there is an error below that says
" ! Search does not parse"

I've used the network sessions datamodel and specified the search time.

How would I know what "Application Context" to use for each correlation search?

Thanks for your help

0 Karma
Reply

shiftey
Path Finder
‎05-28-2015 04:24 PM

I also specified DHCP as part of the network session data model..

0 Karma
Reply

stephanefotso
Motivator
‎05-28-2015 05:04 PM

If you are at the filter stage, i thing, you must use the where clause. But the problem is that, the star() can not works with the where clause. Means `|where dest!=Prefix1 `is an error.

SGF
0 Karma
Reply

stephanefotso
Motivator
‎05-28-2015 05:21 PM

try:

  ...|replace Prefix1* with Prefix1 in dest|replace Prefix2* with Prefix2 in dest|where dest!=Prefix1 OR dest!=Prefix2
SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...