https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361444#M106745 <P>Yes files are there in splunk currently. I already tried the way @cmerriman mentioned as below: </P> <PRE><CODE>source=*.txt SQLDB |search KEYWORD1 OR KEYWORD2 </CODE></PRE> <P>The problem I am facing here is since we have base search as "SQLDB", it will only shows lines with "SQLDB" in those txt files. <BR /> But I need to search KEYWORD1 and KEYWORD2 inside the text files having "SQLDB".</P> Thu, 08 Feb 2018 17:18:05 GMT rojit 2018-02-08T17:18:05Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361440#M106741 <P>I have following types of txt files in my source and contents of each files are mentioned below in CAPS:</P> <P><STRONG>a1.txt:</STRONG><BR /> KEYWORD1<BR /> SQLDB</P> <P><STRONG>a2.txt:</STRONG><BR /> KEYWORD1<BR /> KEYWORD2 </P> <P><STRONG>a3.txt:</STRONG><BR /> KEYWORD1<BR /> KEYWORD2<BR /> SQLDB</P> <P><STRONG>a4.txt:</STRONG><BR /> KEYWORD1<BR /> KEYWORD2</P> <P>From the above files, I need to search only txt files contains 'SQLDB' to fetch values 'KEYWORD1' or 'KEYWORD2' inside that file. <BR /> In above example, it should search only a1.txt and a3.txt files for me to have my further searches. </P> <P>So basically, need to identify certain ways similar to Exists.<BR /> Appreciable, if anyone can help me to achieve this..</P> Thu, 08 Feb 2018 11:32:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361440#M106741 rojit 2018-02-08T11:32:12Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361441#M106742 <P>Are these file in Splunk already? If so, the "source" field should contain the file name. Can you confirm this?</P> <P>If they are NOT in Splunk, well, that's probably your first step.</P> Thu, 08 Feb 2018 12:31:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361441#M106742 Richfez 2018-02-08T12:31:39Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361442#M106743 <P>as @rich7177 mentions, if the files are in Splunk, and they are listed as <STRONG>sources</STRONG> you're search could be something like <CODE>source=*.txt SQLDB |search KEYWORD1 OR KEYWORD2</CODE></P> Thu, 08 Feb 2018 12:53:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361442#M106743 cmerriman 2018-02-08T12:53:51Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361443#M106744 <P>Thanks @cmerriman and yes files are there in splunk server. I already tried the above step. <BR /> The problem I am facing here is since we have base search as "SQLDB", it already will only shows lines with "SQLDB" in those txt files. <BR /> But I need to search KEYWORD1 and KEYWORD2 inside the text file having "SQLDB".</P> Thu, 08 Feb 2018 17:16:17 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361443#M106744 rojit 2018-02-08T17:16:17Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361444#M106745 <P>Yes files are there in splunk currently. I already tried the way @cmerriman mentioned as below: </P> <PRE><CODE>source=*.txt SQLDB |search KEYWORD1 OR KEYWORD2 </CODE></PRE> <P>The problem I am facing here is since we have base search as "SQLDB", it will only shows lines with "SQLDB" in those txt files. <BR /> But I need to search KEYWORD1 and KEYWORD2 inside the text files having "SQLDB".</P> Thu, 08 Feb 2018 17:18:05 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361444#M106745 rojit 2018-02-08T17:18:05Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361445#M106746 <P>What do you mean "search KEYWORD1 and KEYWORD2 inside the text files"?</P> <P>The way I'm parsing it right now it seems like you mean this:</P> <PRE><CODE>source=*.txt SQLDB KEYWORD1 KEYWORD2 </CODE></PRE> <P>Which would give you events from any <CODE>.txt</CODE> file that has the words "SQLDB", "KEYWORD1", and "KEYWORD2" present.</P> Thu, 08 Feb 2018 17:58:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361445#M106746 micahkemp 2018-02-08T17:58:53Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361446#M106747 <P>@micahkemp has another great option of putting all the keywords in the base search. <CODE>source=*.txt SQLDB (KEYWORD1 OR KEYWORD2)</CODE></P> Thu, 08 Feb 2018 18:49:28 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361446#M106747 cmerriman 2018-02-08T18:49:28Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361447#M106748 <P>@rojit</P> <P>So let's make a different search. We are going to build it up bit by bit. I'm doing it this way so you will have explanations and can modify this as needed to make it work for you.</P> <P>First task is to build a search that returns the <CODE>source</CODE> fields of the files that have the SQLDB string in them. You haven't provided much context, so you'll have to fill in some parts of this.</P> <PRE><CODE>index=X sourcetype=Y SQLDB | dedup source | table source </CODE></PRE> <P>You should run this and confirm it returns, in your case, <CODE>a1.txt</CODE> and <CODE>a3.txt</CODE>. This must be right or else the rest of this answer won't work. </P> <P>Now, we'll use that little search above as a <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchTutorial/Useasubsearch">subsearch</A> inside a bigger search.</P> <PRE><CODE>index=X sourcetype=Y (KEYWORD1 OR KEYWORD2) [search index=X sourcetype=Y SQLDB | dedup source | table source] </CODE></PRE> <P>The only difference on the "inside" search is that we had to add <CODE>search</CODE> to the front of it. The way the subsearch works will be to run that little search first, and the list of <CODE>source</CODE> will get returned to the outside search, where it'll get incorporated like:</P> <PRE><CODE>index=X sourcetype=Y KEYWORD1 OR KEYWORD2 (source=a1.txt OR source=a3.txt) </CODE></PRE> <P>That's not one you have to type, that happens on the back end. But that's what ends up being run so it should return anywhere those two keywords show up, but ONLY inside a1.txt or a3.txt.</P> <P>Does that help?</P> <P>Happy Splunking,<BR /> Rich</P> Thu, 08 Feb 2018 18:56:05 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361447#M106748 Richfez 2018-02-08T18:56:05Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361448#M106749 <P>Thanks a lot @rich7177<BR /> The approach worked for my scenario..Below is the final code I was looking for:</P> <PRE><CODE>index=X sourcetype=Y (SQLDB OR KEYWORD1 OR KEYWORD2) [search index=X sourcetype=Y SQLDB | dedup source | table source] </CODE></PRE> Fri, 09 Feb 2018 06:41:44 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361448#M106749 rojit 2018-02-09T06:41:44Z https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361449#M106750 <P>Final approach worked for me as follows:</P> <PRE><CODE>index=X sourcetype=Y (SQLDB OR KEYWORD1 OR KEYWORD2) [search index=X sourcetype=Y SQLDB | dedup source | table source] </CODE></PRE> Fri, 09 Feb 2018 06:44:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-inside-the-files-based-on-keywords-to-do-sub-search-in/m-p/361449#M106750 rojit 2018-02-09T06:44:45Z