https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154060#M31325 <P>Hi thanks for the response, what I'm trying to do is look through a lot of source files so I can't exactly type in all of the names of the file, it there a way to scan all source files in the index?</P> Wed, 22 Apr 2015 16:40:10 GMT npestana88 2015-04-22T16:40:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154058#M31323 <P>So I have a set of source files that list different fields as separate events and I would like to search for source files that have the specified field values. However when I search for multiple fields (eg. diameter=30 AND temp=77) it doesn't return any results since the fields are contained in different events. Is there a way around it? All I need are the names of the source files.<BR /> Sorry if this is an obvious question, I'm still new at this</P> Wed, 22 Apr 2015 16:01:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154058#M31323 npestana88 2015-04-22T16:01:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154059#M31324 <P>Hello! Try.</P> <PRE><CODE>.....source=firstsourcefile OR source=secondsourcefile (diameter=30 AND temp=77)|...... </CODE></PRE> Wed, 22 Apr 2015 16:18:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154059#M31324 stephanefotso 2015-04-22T16:18:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154060#M31325 <P>Hi thanks for the response, what I'm trying to do is look through a lot of source files so I can't exactly type in all of the names of the file, it there a way to scan all source files in the index?</P> Wed, 22 Apr 2015 16:40:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154060#M31325 npestana88 2015-04-22T16:40:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154061#M31326 <P>ok let suppose that your souce name is <STRONG>mysource/poooo/jjjjjjj/yyyyyyy/............./</STRONG> or <STRONG>yyyyyyyyyy/second/........</STRONG></P> <P>you can use the star(*) symbol to match any caracter in your source field. Something like this</P> <PRE><CODE>source=mysource* OR source=*second* (diameter=30 AND temp=77)|... </CODE></PRE> Wed, 22 Apr 2015 17:10:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154061#M31326 stephanefotso 2015-04-22T17:10:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154062#M31327 <P>To paraphrase, it sounds like you're trying to search for particular events to generate a list of sources. From this curated list, search for a different type of events, right?</P> <P>If so, make yourself familiar with sub-searches:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches">http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches</A></P> <P>Also, what precisely are you trying to look for that should belong to the first group of sources vs. what should be found from the other?</P> <P>Your structure would basically look like this:</P> <P>Subsearch query for the events:</P> <BLOCKQUOTE> <P>source= diameter=X</P> </BLOCKQUOTE> <P>Filter this to specifically the sources:</P> <BLOCKQUOTE> <P>source= diameter=X | fields<BR /> source</P> </BLOCKQUOTE> <P>Insert into a different search, which includes the other field:</P> <BLOCKQUOTE> <P>( [search source= diameter=X<BR /> | fields source ]) temp=Y</P> </BLOCKQUOTE> <P>Now you have all events that fit <EM>temp=Y</EM> but only if that source has events that match <EM>diameter=X</EM>. Let me know if that works!</P> Wed, 22 Apr 2015 22:37:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-for-multiple-fields-in-a-source-files/m-p/154062#M31327 hcbomb 2015-04-22T22:37:25Z