Solved: display result with specific condition matched

cykuan · ‎05-26-2015

Hi All,

If I want to display the result with contain the below number(+61011 or +61012) the first 5 digits numbers.

25/04/2014 00:00:00,CALL_SUCCESSFUL,VOICE,+6101156789,tel:+6101256789,25/04/2014 1:04:08,25/04/2014 2:00:00,0,GS-client/SMH3.0 gsh/dd A/1.1.1 COM/4.5.6,GS-client/SMH3.0 gsh/dd A/1.1.1 COM/4.5.6

I have tried to use this command but no display show out.
(CALL_STOPPED OR CALL_SUCCESSFUL,VOICE) AND (+61011 OR +61012 OR +61013) earliest=04/22/2014:00:00:00

MichaelPriest · ‎05-26-2015

I think you need to include some speech marks around some or you conditions, so something like:

("CALL_STOPPED" OR "CALL_SUCCESSFUL,VOICE") AND ("+61011" OR "+61012" OR "+61013") earliest=04/22/2014:00:00:00

See this similar question:
http://answers.splunk.com/answers/120097/query-on-using-and-or.html

View solution in original post

MichaelPriest · ‎05-26-2015

I think you need to include some speech marks around some or you conditions, so something like:

("CALL_STOPPED" OR "CALL_SUCCESSFUL,VOICE") AND ("+61011" OR "+61012" OR "+61013") earliest=04/22/2014:00:00:00

See this similar question:
http://answers.splunk.com/answers/120097/query-on-using-and-or.html

cykuan · ‎05-26-2015

Hi Michael,

I have tried your method, but it didn't work for me. If I input the search with the full digits(e.g.+6101156789), then the result will display. However, I only want to display the result with only match the first 5 digits.

MichaelPriest · ‎05-26-2015

Ok, then use then wildcard(*), so for example:

("*+61011*") will return all results that contain +61011

display result with specific condition matched

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!