query on using AND ,OR

Jananee_iNautix · ‎01-27-2014

20131209.dbg0.log:2013-12-09 17:52:12,435 [58c8] SUCCESS: File successfully uploaded using SFTP. Filename was [nv_afis_nav_download12092013145008.csv]. File length was [1403].
20131209.dbg0.log:2013-12-05 15:34:00,895 [275f275f] MAJOR: File [/ftxprd1/BNYM_NONPROD_ZEROBYTE_TESTING/dir_monitor/Zero_Byte_Check_92kb.log] already exists. [.io.agents.filecopy.Filecopy]

20131220.server-status0.log:13-12-20 09:38:00 [76aa] SUCCESS: The FTP Server [rsba.net - FTP SERVER] uploaded file [/outbound/_2_113237579.csv] of length 1989 bytes from userid [EBD]. The [EBD] user logged in from [17.61.10.10:358] with security mode [DISABLED].

From the above mentioned events, the following exact phrases / strings need to be searched.

events containing the word "file"
events containing the phrase "SUCCESS: File successfully uploaded"
events containing the phrase "MAJOR:"
Note : Events should contain ("file" & "SUCCESS: File successfully uploaded") (OR) ("file" & "MAJOR").

Output should look like

Output :
20131209.dbg0.log:2013-12-09 17:52:12,435 [58c8] SUCCESS: File successfully uploaded using SFTP. Filename was [nv_afis_nav_download12092013145008.csv]. File length was [1403].
20131209.dbg0.log:2013-12-05 15:34:00,895 [275f275f] MAJOR: File [/ftxprd1/BNYM_NONPROD_ZEROBYTE_TESTING/dir_monitor/Zero_Byte_Check_92kb.log] already exists. [.io.agents.filecopy.Filecopy]

I tried with the following query as

index=fer file AND ("SUCCESS: File successfully uploaded" OR "MAJOR") |search source="*.dbg0.log"

I didn't get desired result.Could you please correct the query to fetch the desired events.

stephane_cyrill · ‎04-19-2015

Hi Jananee_iNautix,
You wanted, in your comment to know if splunk is processing left to right association.
WHEN YOU RUN A QUERY LIKE THAT,SPLUNK PROCESS THE EVENT IN THIER ARRIVING ODER.

CONCERNING THE QUERY, splunk proces from left to right, But NOTE THAT all the search element are always process. AND NO Matter the order of OR and AND the other of the resulting events will be the same if you don't SORT or transform it.

chimell · ‎12-12-2014

Just try like this , I think that it may be done :

      index=fer    source="*.dbg0.log" (“ file”  AND "SUCCESS: File successfully uploaded") OR (“file” AND "MAJOR")

linu1988 · ‎01-27-2014

Hello,
This should work.

index=fer ("file" AND "SUCCESS: File successfully uploaded") OR ( "file" AND "MAJOR") source="*.dbg0.log"

Thanks

Jananee_iNautix · ‎01-27-2014

index=fxr file AND (MAJOR) OR (SUCCESS: AND File AND successfully AND uploaded)|search source=".dbg-*trc.log"

This query fetched correct number of events as expected.I want to confirm whether splunk follows right to left associativity in the above query or what?Because the following query also fetched the same results as expected.

index=fxr (file) AND ((MAJOR) OR (SUCCESS: AND File AND successfully AND uploaded))|search source=".dbg-*trc.log"

linu1988 · ‎01-27-2014

Modified the query as the your comment.

Note : Events should contain ("file" & "SUCCESS: File successfully uploaded") (OR) ("file" & "MAJOR")

Jananee_iNautix · ‎01-27-2014

The search query you gave is not fetching the results as expected.If i give SUCCESS: alone or MAJOR alone like
index=fer "file" AND ("SUCCESS:" OR "MAJOR:") source=".dbg0.log".
The events are listed according to the query given.But,when given like
index=fer "file" AND ("SUCCESS: File successfully uploaded" OR "MAJOR: File ") source=".dbg0.log".
Nothing is listed out.Can you say why it is happening and resolve it

query on using AND ,OR

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...