Solved: Why do I not get the same results for (search stat...

Qlink · ‎04-06-2016

Hi

I try Splunk myself after I've join in Splunk beginning Course and found this strange result. Is it bug or something?

sourcetype = access_combined_wcookie | search status="200"OR"500"

is not same as

sourcetype = access_combined_wcookie | search status="500"OR"200"

Splunk Source is website access.log and status is access status log.

Why?

martin_mueller · ‎04-06-2016

status="200"OR"500" means "status equals 200 OR raw event contains 500"
status="500"OR"200" means "status equals 500 OR raw event contains 200"

These do not mean "status equals 200 OR status equals 500"!

View solution in original post

martin_mueller · ‎04-06-2016

status="200"OR"500" means "status equals 200 OR raw event contains 500"
status="500"OR"200" means "status equals 500 OR raw event contains 200"

These do not mean "status equals 200 OR status equals 500"!

martin_mueller · ‎04-06-2016

Exactly. Implicitly, your old search was parenthesized as ( ( status="200" ) OR ( "500" ) ).

While you're at it, do not write searches like sourcetype=foo | search field=value, instead use sourcetype=foo field=value directly. Otherwise, Splunk would load all data from that sourcetype and then filter instead of only loading data matching both filters - such performance, much fast, wow.

Qlink · ‎04-06-2016

Thank you very much

Qlink · ‎04-06-2016

So

In order to find status 200 or 500

It has to command like

search status="500"OR status="200"
or
search status="200"OR status="500"

right?

I have try it
and result shown it equal now

Thank you !!!

Why do I not get the same results for (search status="200" OR "500") and (search status="500" OR "200")?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life