Splunk Cloud Platform

Search Manual

Boolean expressions with logical operators

The Splunk search processing language (SPL) supports the following logical operators in Boolean expressions: AND, OR, NOT, and XOR.

The operators must be capitalized.

The AND operator is always implied between terms, that is: web error is the same as web AND error. So unless you want to include it for clarity reasons, you should not need to specify the AND operator.

The NOT operator only applies to the term immediately following NOT. To apply to multiple terms, you must enclose the terms in parenthesis.

Inclusion is generally better than exclusion. Searching for "access denied" will yield faster results than NOT "access granted".

Order of evaluation

The order in which the Splunk software evaluates Boolean expressions depends on whether you are using the expression with the search command, the eval command, or the where command. This includes the implied search command at the beginning of the search.

The search command evaluates OR before AND operators (XOR is not supported). The eval and where commands evaluate AND before OR operators.

The following table describes the order in which the Boolean expressions are evaluated by the commands.

Order Search command Eval and where commands
1 Expressions within parentheses Expressions within parentheses
2 NOT clauses NOT clauses
3 OR clauses AND clauses
4 AND clauses OR clauses
5 XOR clauses

Examples

The following examples show how Splunk software processes Boolean expressions using logical operators.

Search command example with AND and OR

Consider the following search:

host="www1" AND status=200 OR action="addtocart"

With the search command, the AND is implied between the expressions. The same results are returned if you omit the AND in the search and specify host="www1" status=200 OR action="addtocart".

This search is processed as:

host="www1" AND (status=200 OR action="addtocart")

This search returns:

  • All of the events where the host is www1 and the status is either 200 or the action is addtocart.

With the search command, the OR is processed before the AND.

The where command processes this search differently, as shown in the next example.

Where command example with AND and OR

Consider the following search:

...| where host="www1" AND status=200 OR action="addtocart"

This search is processed as:

...| where (host="www1" AND status=200) OR action="addtocart"

This search returns:

  • All of the events where the host is www1 and the status is 200.
  • All of the events where the action is addtocart.

With the where command the AND is processed before the OR.

Last modified on 22 January, 2025
Use CASE() and TERM() to match phrases   Difference between != and NOT

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters