2 Replies Latest reply on Jun 28, 2018 10:26 AM by DennisBray

    How to combine 2 queries with OR

    DennisBray Hot Shot
    vExpert

      I am working with Log Insight 4.6 and am looking for a way to combine two queries that each work individually, but don't really have any intersection other than they both are related to a specific application.

       

      Here are example of the queries:

       

      The first query:

      hostname contains "app-ts01" or "app-ta02" or "ops-sql1"

      channel contains "application" or "system"

      text contains "this" or "that"

      level contains "critical" or "warning" or "error"

       

      The second query:

      hostname contains "locA-dc-01"

      channel contains "security"

      keywords contains "Audit Failure"

      text contains "APPServiceUsername"

       

      If I combine them into a single query by combining the hostnames, channels, text, etc. no matches are returned because the logic fails.

       

      It appears to me that I need to have a query that has the query 1 parameters logically OR'ed with the query 2 parameters.

       

      I am hoping there is something easy or obvious that I am missing!

       

      Suggestions?

       

      Dennis