Knowledge Management

Can I specify a tag that logically ANDs the field value pairs?

dphung
Explorer

I'd like to setup a tag that is restrictive (AND) in its query rather than inclusive (OR). For example, if you specify a tag with many field value pairs like this:

index=foobar
host=10.17.41.1
host=10.17.41.2

A search using this tag will look for events in index=foobar OR host=10.17.41.1 OR host=10.17.41.2, but I want the search to look for events in index=foobar AND (host=10.17.41.1 OR host=10.17.41.2). I tried explicitly setting the following as a tag but no results were returned:

index=foobar AND (host=10.17.41.1 OR host=10.17.41.2)
Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Use this:

tag::index=your_tag tag::host=your_tag

That'll prevent the OR'ing between different fields, and ANDs them instead.

martin_mueller
SplunkTrust
SplunkTrust

Don't change your tag definitions, change your search. tag=foo looks for any tag named foo, tag::field=foo looks for tags named foo for the specified field only, breaking up the long OR chain.

0 Karma

dphung
Explorer

The point of the question was to not change the search query. I want to keep that part as simple as tag=foo and have that tag expand to the logical equivalent of
'index=foobar AND (host=bar1 OR host=bar2)

I was able to do this with a combination of eventtypes and tagging as suggested by @MuS.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You should add such a requirement to your question.

dphung
Explorer

Are you saying I need to add 'tag::' in front of each of my field/value pairs? E.g. My tag would look like:

tag::index=foobar
tag::host=10.17.41.1
tag::host=10.17.41.2

I just tried this and it didn't work. What I want to be able to do is use the tag to reference this set of field/value pairs, so if I named my tag above 'mytag', my search would be:

splunk> tag=mytag somedata

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

dphung
Explorer

A little circuitous but this works. Here's what I had to do:

1) Create tag=myhosts
host=10.17.41.1
host=10.17.41.2

2) Create an eventtype=my_index_search_terms that bound the index and the hosts with the AND
search> index=foobar AND tag=myhosts

3) Create a tag aliasing a tag (tag=index_hosts) to the eventtype:
eventtype=my_index_search_terms

So now, when I do a search like:
> tag=index_hosts status=404

It refines that search to only look for events coming from that host in that index.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...