Splunk Dev

AND STATMENTS - HOW DOES LIMIT THE DATA

J_Walker_Ex
New Member

Hi , I have just performed a search

Using Database and file path as the items

(DATABASE) (I:\LOCATION\AREA\UK). This returns 1000000 Results

I tried to QC my method by looking for the following

(DATA AND BASE) (I:\LOCATION\AREA\UK). This only returned 30000 Results. Which seems strange as I thought in theory this one should return all the DATABASE entries and any other occurrence of data and base. I am doing something obvious wrong ?

Tags (1)
0 Karma

woodcock
Esteemed Legend

In order for them to be similar, you need to use (DATA* AND *BASE). You would very much benefit from examining the lispy generated (the internal Splunk DB language) for each of your searches. Run a search, then after it is done, towards the right above the histogram is a Job menu. Click that and select Inspect job. This will open a new window with useful information, but not the lispy. At the top of this window is a search log link. Click that and search for lispy. Dig and learn.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Hi,

if I am correct, there is quite a difference here.
Searching for "database" will return events with the term "database". Whereas searching for DATA AND BASE will only return events with the terms data and base.
You would need to specify wildcards in order to get everything that contains the term data, like "*data*". "data*" etc.

Skalli

0 Karma

J_Walker_Ex
New Member

Hi thanks for you answer

But if I am searching for DATA and BASE does this not in theory mean that all the entries for DATABASE will be picked up by this search. As DATEBASE contains DATA and BASE

But this is not what I am seeing DATABASE is yelding more results the (DATA AND BASE)

if I have say a string like manchesteruniteduseDATAwhentheyareplayinggamestogiveaBASE

and I search for (DATA AND BASE) it not also going to pick it up

0 Karma

skalliger
SplunkTrust
SplunkTrust

No, think of it like SQL (if you know this language).

If you search for something like this:

WHERE x LIKE "DATA" OR "BASE"

this will only return events where x = DATA or x = BASE, but it will NOT return events with x = DATABASE.

Because then, you would need to define wildcards, something like this:

WHERE x LIKE "DATA%" OR "%BASE"

So, searching for "base" AND "data" will not return database, if it is one term without a space.
Is it clearer now?

Searching for (DATA* AND *BASE) should return all the events you want.

Skalli

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...