Boolean expressions with logical operators

The Splunk search processing language (SPL) supports the following logical operators in Boolean expressions: AND, OR, NOT, and XOR.

The operators must be capitalized.

The AND operator is always implied between terms, that is: web error is the same as web AND error. So unless you want to include it for clarity reasons, you should not need to specify the AND operator.

The NOT operator only applies to the term immediately following NOT. To apply to multiple terms, you must enclose the terms in parenthesis.

Note: Inclusion is generally better than exclusion. Searching for "access denied" will yield faster results than NOT "access granted".

Order of evaluation

The order in which the Splunk software evaluates Boolean expressions depends on whether you are using the expression with the search command, the eval command, or the where command. This includes the implied search command at the beginning of the search.

The search command evaluates OR before AND operators (XOR is not supported). The eval and where commands evaluate AND before OR operators.

The following table describes the order in which the Boolean expressions are evaluated by the commands.

Order Search command Eval and where commands
1 Expressions within parentheses Expressions within parentheses
2 NOT clauses NOT clauses
3 OR clauses AND clauses
4 AND clauses OR clauses
5 XOR clauses

Examples

The following examples show how Splunk software processes Boolean expressions using logical operators.

Search command example with AND and OR

Consider the following search: 

host="www1" AND status=200 OR action="addtocart"

With the search command, the AND is implied between the expressions. The same results are returned if you omit the AND in the search and specify host="www1" status=200 OR action="addtocart".

This search is processed as: 

host="www1" AND (status=200 OR action="addtocart")

This search returns:

  • All of the events where the host is www1 and the status is either 200 or the action is addtocart.

With the search command, the OR is processed before the AND.

The where command processes this search differently, as shown in the next example.

Where command example with AND and OR

Consider the following search: 

...| where host="www1" AND status=200 OR action="addtocart"

This search is processed as: 

...| where (host="www1" AND status=200) OR action="addtocart"

This search returns:

  • All of the events where the host is www1 and the status is 200.
  • All of the events where the action is addtocart.

With the where command the AND is processed before the OR.

Search command example with NOT

Consider the following search: 

host="www1" NOT status=200

This search returns all host="www1" events that have status codes not equal to 200.

Note: Searches that exclude results using the NOT operator are typically less efficient than searches that are more inclusive. As a result, you should avoid using NOT when possible.

Search command examples with AND NOT and NOT OR

Consider the following search: 

host="www1" NOT status=200 AND NOT status=505

It produces the same results as the following search: 

host="www1" NOT (status=200 OR status=505)

These searches return all host="www1" events that have status codes not equal to 200 or 505. These searches should have fewer results than a search that just excludes events with status equal to 200.

Note: Searches that exclude results using the NOT operator are typically less efficient than searches that are more inclusive. As a result, you should avoid using NOT when possible.