Getting Data In

Using multiple OR operators

shiftey
Path Finder

Hi guys

Im doing a correlation search where Im looking for hostnames and filtering for events I dont want. eg.

sourcetype=dhcplogs where dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4* .....

Is there a more efficient way of grouping multiple OR operators together? Would this help with search processing, or just tidier to read.

Cheers

Tags (2)

lguinn2
Legend

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")

DalJeanis
SplunkTrust
SplunkTrust

This test will ALWAYS be true...

dest!=Prefix1* OR dest!=Prefix2* 

...because...
Prefix1PlusSomeStuff is not equal to Prefix2*, so it meets the second criteria.

Prefix2PlusSomeStuff is not equal to Prefix1*, so it meets the first criteria.

...so, that should be coded in either of the following ways...

 NOT ( dest=Prefix1* OR dest=Prefix2*)

...or...

 (dest!=Prefix1* AND dest!=Prefix2*)
0 Karma

stephanefotso
Motivator

Hello!
No, there is not another way to do it. And you don't have to put the where clause. just type your search like this:

sourcetype=dhcplogs  (dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4)

Thanks

SGF
0 Karma

shiftey
Path Finder

Ive also tried

replace prefix1* with prefix1 in dest| replace prefix2* with prefix* in dest | where dest!=prefix1 OR dest!=prefix2

however that has 0 results. Im thinking Splunk is not treating prefix1* as a wildcard but a string?

Any more advice is most welcome.

Cheers

0 Karma

stephanefotso
Motivator

No. There was an error in my query. That is what to write.

replace prefix1* with prefix1 in dest| replace prefix2* with prefix2 in dest | where dest!=prefix1 OR dest!=prefix2

And, If prefix1* is a string in your events, means, you are not trying to match any caracter, just write

...| where dest!="prefix1*" OR dest!="prefix2*"

Thanks

SGF
0 Karma

shiftey
Path Finder

Thanks stephanefotso,

I'm using this in a new correlation search using guided mode. Im at the filter stage of the search creation wizard and have put:

dest!=Prefix1* OR dest!=Prefix2*

yet there is an error below that says
" ! Search does not parse"

I've used the network sessions datamodel and specified the search time.

How would I know what "Application Context" to use for each correlation search?

Thanks for your help

0 Karma

shiftey
Path Finder

I also specified DHCP as part of the network session data model..

0 Karma

stephanefotso
Motivator

If you are at the filter stage, i thing, you must use the where clause. But the problem is that, the star() can not works with the where clause. Means `|where dest!=Prefix1 `is an error.

SGF
0 Karma

stephanefotso
Motivator

try:

  ...|replace Prefix1* with Prefix1 in dest|replace Prefix2* with Prefix2 in dest|where dest!=Prefix1 OR dest!=Prefix2
SGF
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...