https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339378#M159680 <P>I have a simple search query to look for vpn alerts</P> <PRE><CODE>index=nm host = inyod1-jvpn1a-dmz8-lo0 syslog_message="*karachi*" KMD_PM_SA_ESTABLISHED OR "IKE negotiation failed with error" </CODE></PRE> <P>However, I want to make splunk return results of <CODE>KMD_PM_SA_ESTABLISHED</CODE> only when the <CODE>IKE negotiation failed with error</CODE> is detected beforehand. Is there a way to do it?</P> <P>Thanks </P> Tue, 01 Aug 2017 00:34:26 GMT ringbbg 2017-08-01T00:34:26Z https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339378#M159680 <P>I have a simple search query to look for vpn alerts</P> <PRE><CODE>index=nm host = inyod1-jvpn1a-dmz8-lo0 syslog_message="*karachi*" KMD_PM_SA_ESTABLISHED OR "IKE negotiation failed with error" </CODE></PRE> <P>However, I want to make splunk return results of <CODE>KMD_PM_SA_ESTABLISHED</CODE> only when the <CODE>IKE negotiation failed with error</CODE> is detected beforehand. Is there a way to do it?</P> <P>Thanks </P> Tue, 01 Aug 2017 00:34:26 GMT https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339378#M159680 ringbbg 2017-08-01T00:34:26Z https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339379#M159681 <P>Change <CODE>OR</CODE> to <CODE>AND</CODE>, which will match both conditions to be true. Even if you take out <STRONG>OR</STRONG>, by default Splunk will use AND.</P> Tue, 01 Aug 2017 02:08:07 GMT https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339379#M159681 niketn 2017-08-01T02:08:07Z https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339380#M159682 <PRE><CODE>&gt; I want to make splunk return results &gt; of KMD_PM_SA_ESTABLISHED only when the &gt; IKE negotiation failed with error is &gt; detected beforehand </CODE></PRE> <P>KMD_PM_SA_ESTABLISHED <BR /> and <BR /> "IKE negotiation failed with error" ---- these two are appearing on a single event or different events?<BR /> as you say "only when the IKE negotiation failed with error is detected beforehand", mostly they would be appearing on the same event. so, simply you can use "AND" instead of the the "OR"<BR /> <PRE>index=nm host = inyod1-jvpn1a-dmz8-lo0 syslog_message="karachi" KMD_PM_SA_ESTABLISHED AND "IKE negotiation failed with error"</PRE></P> <P>AND is always implied on the search by default (for example - search for "one two" means, its actually searching for "one AND two")</P> <PRE>index=nm host = inyod1-jvpn1a-dmz8-lo0 syslog_message="karachi" KMD_PM_SA_ESTABLISHED "IKE negotiation failed with error"</PRE> Tue, 29 Sep 2020 15:10:40 GMT https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339380#M159682 inventsekar 2020-09-29T15:10:40Z https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339381#M159683 <P>Are these 2 conditions contained in the same event or 2 different events?</P> Wed, 02 Aug 2017 14:48:37 GMT https://community.splunk.com/t5/Splunk-Search/search-query-filter/m-p/339381#M159683 woodcock 2017-08-02T14:48:37Z