Splunk Search

How to properly use OR and WHERE in splunk

mahbs
Path Finder

Hi,

I'm new to splunk, my background is mainly in java and sql. I was just wondering, what does the operator "OR" mean in splunk, does it have a different meaning?

for example, am i using it correct in this instance:

host = x OR host = y |

Futhermore, I was told the key word "WHERE" has a different meaning compared to SQL. Could you please explain this to me?

I've looked every where for this answer, but haven't really understood other peoples explanation and was hoping you could dumb it down as much as possible.

Thanjs

Tags (2)
0 Karma

cmerriman
Super Champion

There were some great sessions at .conf2017 that could help you learn some basic SPL
http://conf.splunk.com/sessions/2017-sessions.html
One I'd recommend is Power of SPL, the recording isn't up but the slides are.
there is also this doc that can help you understand a bit of the linguistics
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/UnderstandingSPLsyntax

To get to your question, however.
in host = x OR host = y you will retrieve data from both y and x hosts.
you can also use OR in eval statements, such as |eval newhost=if(host = x OR host = y,"xy",host) would create a field called newhost with values xy when the host is either x or y, otherwise the value would be any other host value.
OR can also be used in where and search statements.

to elaborate, i'll answer your second part:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where?r=searchtip
http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Search
where can be used to eliminate fields that don't match certain criteria, as can the search command.
The difference between where and search, in my opinion, is that search is best for field to value comparisons and where is better for field to field comparisons (or evaluating a field and comparing it to a value). you can see examples in the links I supplied.

the SQL where and the SPL where/search generally do the same thing, the only difference should be the syntax.

Sukisen1981
Champion

OR is like the standard Boolean operator in any language
host = x OR host = y
will return results from both hosts x & y
Operators like AND OR NOT are case sensitive and always in upper case....

WHERE is similar to SQL WHERE

So, index=xxxx | where host=x...
will only return results from host x

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...