Hi , I have just performed a search
Using Database and file path as the items
(DATABASE) (I:\LOCATION\AREA\UK). This returns 1000000 Results
I tried to QC my method by looking for the following
(DATA AND BASE) (I:\LOCATION\AREA\UK). This only returned 30000 Results. Which seems strange as I thought in theory this one should return all the DATABASE entries and any other occurrence of data and base. I am doing something obvious wrong ?
In order for them to be similar, you need to use (DATA* AND *BASE)
. You would very much benefit from examining the lispy
generated (the internal Splunk DB language) for each of your searches. Run a search, then after it is done, towards the right above the histogram is a Job
menu. Click that and select Inspect job
. This will open a new window with useful information, but not the lispy
. At the top of this window is a search log
link. Click that and search for lispy
. Dig and learn.
Hi,
if I am correct, there is quite a difference here.
Searching for "database" will return events with the term "database". Whereas searching for DATA AND BASE will only return events with the terms data and base.
You would need to specify wildcards in order to get everything that contains the term data, like "*data*". "data*" etc.
Skalli
Hi thanks for you answer
But if I am searching for DATA and BASE does this not in theory mean that all the entries for DATABASE will be picked up by this search. As DATEBASE contains DATA and BASE
But this is not what I am seeing DATABASE is yelding more results the (DATA AND BASE)
if I have say a string like manchesteruniteduseDATAwhentheyareplayinggamestogiveaBASE
and I search for (DATA AND BASE) it not also going to pick it up
No, think of it like SQL (if you know this language).
If you search for something like this:
WHERE x LIKE "DATA" OR "BASE"
this will only return events where x = DATA or x = BASE, but it will NOT return events with x = DATABASE.
Because then, you would need to define wildcards, something like this:
WHERE x LIKE "DATA%" OR "%BASE"
So, searching for "base" AND "data" will not return database, if it is one term without a space.
Is it clearer now?
Searching for (DATA* AND *BASE) should return all the events you want.
Skalli