Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I specify a tag that logically ANDs the field value pairs?

dphung
Explorer
‎07-13-2015 02:43 PM

I'd like to setup a tag that is restrictive (AND) in its query rather than inclusive (OR). For example, if you specify a tag with many field value pairs like this:

index=foobar
host=10.17.41.1
host=10.17.41.2

A search using this tag will look for events in index=foobar OR host=10.17.41.1 OR host=10.17.41.2, but I want the search to look for events in index=foobar AND (host=10.17.41.1 OR host=10.17.41.2). I tried explicitly setting the following as a tag but no results were returned:

index=foobar AND (host=10.17.41.1 OR host=10.17.41.2)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-13-2015 02:52 PM

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 02:55 PM

Use this:

tag::index=your_tag tag::host=your_tag

That'll prevent the OR'ing between different fields, and ANDs them instead.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 03:48 PM

Don't change your tag definitions, change your search. tag=foo looks for any tag named foo, tag::field=foo looks for tags named foo for the specified field only, breaking up the long OR chain.

0 Karma
Reply
Solved! Jump to solution

dphung
Explorer
‎07-13-2015 04:01 PM

The point of the question was to not change the search query. I want to keep that part as simple as tag=foo and have that tag expand to the logical equivalent of
'index=foobar AND (host=bar1 OR host=bar2)

I was able to do this with a combination of eventtypes and tagging as suggested by @MuS.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 04:23 PM

You should add such a requirement to your question.

Reply
Solved! Jump to solution

dphung
Explorer
‎07-13-2015 03:44 PM

Are you saying I need to add 'tag::' in front of each of my field/value pairs? E.g. My tag would look like:

tag::index=foobar
tag::host=10.17.41.1
tag::host=10.17.41.2

I just tried this and it didn't work. What I want to be able to do is use the tag to reference this set of field/value pairs, so if I named my tag above 'mytag', my search would be:

splunk> tag=mytag somedata

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-13-2015 02:52 PM

Hi dphung,

create an eventtype out of this search http://docs.splunk.com/Documentation/Splunk/6.2.4/knowledge/Defineeventtypes#Save_a_search_as_an_eve... and tag this eventype and your get what you want.

cheers, MuS

Reply
Solved! Jump to solution

dphung
Explorer
‎07-13-2015 04:06 PM

A little circuitous but this works. Here's what I had to do:

1) Create tag=myhosts
host=10.17.41.1
host=10.17.41.2

2) Create an eventtype=my_index_search_terms that bound the index and the hosts with the AND
search> index=foobar AND tag=myhosts

3) Create a tag aliasing a tag (tag=index_hosts) to the eventtype:
eventtype=my_index_search_terms

So now, when I do a search like:
> tag=index_hosts status=404

It refines that search to only look for events coming from that host in that index.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...