Solved: Splunk Search - 'OR' operator is missing a clause...

cyler · ‎04-04-2018

Issue, here is my search

index=my_index EventSubType="Computer Modified"

NOT UserName="System"

"HostIP=172.16.1." OR
"HostIP=172.16.4." OR
"HostIP=172.16.5.*" OR

| table _time EventSubType UserName HostIP HostName Message

Here is my error - Error in 'search' command: Unable to parse the search: 'OR' operator is missing a clause on the right hand side.

Please help, thank you

martin_mueller · ‎04-04-2018

Remove the third superfluous OR from your search.

View solution in original post

cyler · ‎04-05-2018

Thank you very much for the help. I am able to get the results I need.

kmaron · ‎04-04-2018

You have an extra OR and you should probably have parentheses if I am reading your intentions correctly.

index=my_index EventSubType="Computer Modified"
NOT UserName="System"  
("HostIP=172.16.1." OR  "HostIP=172.16.4." OR "HostIP=172.16.5.*")    
| table _time EventSubType UserName HostIP HostName Message

With the order of processing and implied ANDs your OR's will not work correctly without the parentheses

cyler · ‎04-05-2018

Very helpful thank you

martin_mueller · ‎04-04-2018

Not quite, the parentheses there are optional. In SPL operator precedence, these two searches are equivalent:

| makeresults | eval a = "1 2", b = "2 3" | makemv a | mvexpand a | makemv b | mvexpand b | search a=1 b=2 OR b=3

| makeresults | eval a = "1 2", b = "2 3" | makemv a | mvexpand a | makemv b | mvexpand b | search a=1 (b=2 OR b=3)

kmaron · ‎04-04-2018

Apparently I was taught wrong. Thanks for the info.

martin_mueller · ‎04-04-2018

Remove the third superfluous OR from your search.

cyler · ‎04-05-2018

Worked thank you!

Splunk Search - 'OR' operator is missing a clause on the right hand side

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!