Splunk Search

where field 1 or field 2 equals False

hastrike
New Member

I have two fields in a query where they either equal True or False and I want to find all the results where these two fields equal False. I have tried | where field1 ="False" OR field2 ="False"

However, when I run this it only picks up the first field it doesn't pick up the 2nd Field? Both fields should not be false at the same time. I have also tried the search command as well instead of where.

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

From your 2nd para, it looks like you need this. This will ensure at least one of them is false and both are NOT true and both are not false.

| where field1!=field2
0 Karma

hastrike
New Member

Sorry that must have been confusing. I want the results where both answers are false.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In that case @javiergn's answer is what you're looking for. No result doesn't necessarily mean it didn't work, your data could be like that. Can you check manually to see if there really is a data satisfying your condition?

0 Karma

javiergn
SplunkTrust
SplunkTrust

You need a logical AND in this case:

| where field1 ="False" AND field2 ="False"

The OR you are using will return any event where either field1 is False or field2 is false, or both, or one of them is true and the other false.

Note you can use search too:

| search field1 ="False" AND field2 ="False"

hastrike
New Member

I tried this and I keep getting no results found. However, it works if I use a single field or use OR instead of AND. Just need results when either are False.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, I'm reading your question again and your 1st paragraph contradicts your second one.

In summary:

Both fields are false at the same time:

| where field1 ="False" AND field2 ="False"

One of them is false and the other true:

| where field1 != field2

One of them is false and the other don't care:

| where field1 ="False"

| where field2 ="False"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...