Jun 28, 2018

    How to combine 2 queries with OR

    DennisBray

      I am working with Log Insight 4.6 and am looking for a way to combine two queries that each work individually, but don't really have any intersection other than they both are related to a specific application.


      Here are example of the queries:


      The first query:

      hostname contains "app-ts01" or "app-ta02" or "ops-sql1"

      channel contains "application" or "system"

      text contains "this" or "that"

      level contains "critical" or "warning" or "error"


      The second query:

      hostname contains "locA-dc-01"

      channel contains "security"

      keywords contains "Audit Failure"

      text contains "APPServiceUsername"


      If I combine them into a single query by combining the hostnames, channels, text, etc. no matches are returned because the logic fails.


      It appears to me that I need to have a query that has the query 1 parameters logically OR'ed with the query 2 parameters.


      I am hoping there is something easy or obvious that I am missing!