https://community.splunk.com/t5/Getting-Data-In/After-matching-2-different-data-sources-based-on-srcip-why-is/m-p/357681#M65321 <P>Hi,</P> <P>I try to match two events in one search. one event must match virus and the other android. because the clearpass name for srcip is Ip_address i use the "|rename". </P> <P>The problem is, the output is none. If I try OR instead of AND, it shows only clearpass output and if I delete the "|rename" it shows only syslog info.</P> <PRE><CODE>(index="main" sourcetype="syslog") OR (index="main" sourcetype="aruba:cppm:syslog") |rename ip_address as srcip |transaction srcip keepevicted=true maxspan=-1 |search subtype="virus" AND device_family="android" </CODE></PRE> Tue, 24 Apr 2018 10:01:45 GMT nielsg97 2018-04-24T10:01:45Z https://community.splunk.com/t5/Getting-Data-In/After-matching-2-different-data-sources-based-on-srcip-why-is/m-p/357681#M65321 <P>Hi,</P> <P>I try to match two events in one search. one event must match virus and the other android. because the clearpass name for srcip is Ip_address i use the "|rename". </P> <P>The problem is, the output is none. If I try OR instead of AND, it shows only clearpass output and if I delete the "|rename" it shows only syslog info.</P> <PRE><CODE>(index="main" sourcetype="syslog") OR (index="main" sourcetype="aruba:cppm:syslog") |rename ip_address as srcip |transaction srcip keepevicted=true maxspan=-1 |search subtype="virus" AND device_family="android" </CODE></PRE> Tue, 24 Apr 2018 10:01:45 GMT https://community.splunk.com/t5/Getting-Data-In/After-matching-2-different-data-sources-based-on-srcip-why-is/m-p/357681#M65321 nielsg97 2018-04-24T10:01:45Z