Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using multiple OR operators

shiftey
Path Finder
‎05-28-2015 03:50 PM

Hi guys

Im doing a correlation search where Im looking for hostnames and filtering for events I dont want. eg.

sourcetype=dhcplogs where dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4* .....

Is there a more efficient way of grouping multiple OR operators together? Would this help with search processing, or just tidier to read.

Cheers

Tags (2)
Reply

lguinn2
Legend
‎06-19-2017 01:30 PM

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")

Reply

DalJeanis
Legend
‎04-26-2017 08:40 AM

This test will ALWAYS be true...

dest!=Prefix1* OR dest!=Prefix2*

...because...
Prefix1PlusSomeStuff is not equal to Prefix2*, so it meets the second criteria.

Prefix2PlusSomeStuff is not equal to Prefix1*, so it meets the first criteria.

...so, that should be coded in either of the following ways...

 NOT ( dest=Prefix1* OR dest=Prefix2*)

...or...

 (dest!=Prefix1* AND dest!=Prefix2*)
0 Karma
Reply

stephanefotso
Motivator
‎05-28-2015 04:02 PM

Hello!
No, there is not another way to do it. And you don't have to put the where clause. just type your search like this:

sourcetype=dhcplogs  (dest!=Prefix1* OR dest!=Prefix2* OR dest!=Prefix3* OR dest!=Prefix4)

Thanks

SGF
0 Karma
Reply

shiftey
Path Finder
‎05-28-2015 07:32 PM

Ive also tried

replace prefix1* with prefix1 in dest| replace prefix2* with prefix* in dest | where dest!=prefix1 OR dest!=prefix2

however that has 0 results. Im thinking Splunk is not treating prefix1* as a wildcard but a string?

Any more advice is most welcome.

Cheers

0 Karma
Reply

stephanefotso
Motivator
‎05-29-2015 12:10 AM

No. There was an error in my query. That is what to write.

replace prefix1* with prefix1 in dest| replace prefix2* with prefix2 in dest | where dest!=prefix1 OR dest!=prefix2

And, If prefix1* is a string in your events, means, you are not trying to match any caracter, just write

...| where dest!="prefix1*" OR dest!="prefix2*"

Thanks

SGF
0 Karma
Reply

shiftey
Path Finder
‎05-28-2015 04:23 PM

Thanks stephanefotso,

I'm using this in a new correlation search using guided mode. Im at the filter stage of the search creation wizard and have put:

dest!=Prefix1* OR dest!=Prefix2*

yet there is an error below that says
" ! Search does not parse"

I've used the network sessions datamodel and specified the search time.

How would I know what "Application Context" to use for each correlation search?

Thanks for your help

0 Karma
Reply

shiftey
Path Finder
‎05-28-2015 04:24 PM

I also specified DHCP as part of the network session data model..

0 Karma
Reply

stephanefotso
Motivator
‎05-28-2015 05:04 PM

If you are at the filter stage, i thing, you must use the where clause. But the problem is that, the star() can not works with the where clause. Means `|where dest!=Prefix1 `is an error.

SGF
0 Karma
Reply

stephanefotso
Motivator
‎05-28-2015 05:21 PM

try:

  ...|replace Prefix1* with Prefix1 in dest|replace Prefix2* with Prefix2 in dest|where dest!=Prefix1 OR dest!=Prefix2
SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...