Reputation: 11
Splunk searching questions
Will the following searches return the same results?
SEARCH 1:
ssh error
SEARCH 2:ssh AND errorWill the following searches not return the same results?
SEARCH 1:
purchase
SEARCH 2:action=purchase
Upvotes: 0
Views: 485
Answers (2)
Reputation: 207
Yes, AND is implied..
They will NOT return the same searches. An example includes an event having "The user did not purchase this item" vs action=purchase which means the user purchased the item
Upvotes: 0
Reputation: 81
In SPL, the terms of an initial search are each treated as limitations on the search (i.e. ANDs).
Thus, these two searches are identical...
"foo" "bar"
"foo" AND "bar"
In SPL, logical operators must be upper case. Thus, these two searches are NOT identical...
"foo" AND "bar"
"foo" and "bar"
...but these two are identical...
"foo" AND and AND "bar"
"foo" and "bar"
In SPL, a search term by itself will return every event that contains the term in any field, whereas a key value pair will return only the events that contain that term in that field.
Thus, these two searches are NOT identical, but might return the same result if "foo" (A) never occurred in any field, or (B) only occurred as a value in the field bar.
"foo"
bar="foo"
Upvotes: 1
Related Questions
- Splunk search query syntax?
- Splunk conditional search
- Query to extract data
- Splunk: Return One or True from a search, use that result in another search
- Data Analysis in Splunk
- Splunk base search on dashboard and post processing the results
- nested condition in splunk
- Splunk Query to update a query
- Splunk how to combine two queries and get one answer
- Splunk breakdown results by matched search phrase