topic help needed with splunk search in Splunk Search https://community.splunk.com/t5/Splunk-Search/help-needed-with-splunk-search/m-p/23775#M177485 <P>hello i have a problem with splunk results. in some of the RAW logs i have a field called as "ref" and in some logs i dont have that field. i want splunk to display the results even when a a particular field is missing.</P> <P>for example:</P> <P>query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url | sort -10count</P> <P>i get 246 results </P> <P>and if i include the word ref in my search only 1 result comes out. i need to find a way for splunk to show me 246 results even if ref field is not included in the 245 RAW logs.</P> <P>is their a "AND" 'OR" function we can use in our search which can solve this issue.</P> <P>query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url <STRONG>ref</STRONG> | sort -10count</P> <P>if i include ref my result comes out to be only 1.</P> <P>example of RAW logs</P> <P>with ref field : </P> <P>log_id=0211008192 type=virus subtype=infected pri=warning vd=root msg="File is infected." status=passthrough service=mm1 src=1.1.1.1 dst=2.2.2.2 sport=2560 src_port=2560 dport=5120 dst_port=5120 src_int=lo dst_int=dummy0 policyid=12345 identidx=67890 serial=312 dir=rx file=file_name checksum=N/A quarskip="No skip" virus=virus dtype=cat <STRONG>ref=fortinet/ve?vid=1 url=N/A carrier_ep="carrier endpoint</STRONG>" profile=N/A profiletype=N/A profilegroup=N/A user=user group=group agent=N/A from=N/A to=N/A</P> <P>example without ref : log_id=0212008452 type=virus subtype=filename pri=warning vd=root msg="Command blocked." status=blocked service=ftp src=172.17.100.230 dst=172.19.125.98 sport=2620 src_port=2620 dport=21 dst_port=21 src_int=lan4 dst_int=wan1 policyid=2044 identidx=0 serial=218566 url=N/A user=N/A group=N/A command=REST</P> Mon, 28 Sep 2020 14:29:49 GMT ssehgal 2020-09-28T14:29:49Z help needed with splunk search https://community.splunk.com/t5/Splunk-Search/help-needed-with-splunk-search/m-p/23775#M177485 <P>hello i have a problem with splunk results. in some of the RAW logs i have a field called as "ref" and in some logs i dont have that field. i want splunk to display the results even when a a particular field is missing.</P> <P>for example:</P> <P>query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url | sort -10count</P> <P>i get 246 results </P> <P>and if i include the word ref in my search only 1 result comes out. i need to find a way for splunk to show me 246 results even if ref field is not included in the 245 RAW logs.</P> <P>is their a "AND" 'OR" function we can use in our search which can solve this issue.</P> <P>query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url <STRONG>ref</STRONG> | sort -10count</P> <P>if i include ref my result comes out to be only 1.</P> <P>example of RAW logs</P> <P>with ref field : </P> <P>log_id=0211008192 type=virus subtype=infected pri=warning vd=root msg="File is infected." status=passthrough service=mm1 src=1.1.1.1 dst=2.2.2.2 sport=2560 src_port=2560 dport=5120 dst_port=5120 src_int=lo dst_int=dummy0 policyid=12345 identidx=67890 serial=312 dir=rx file=file_name checksum=N/A quarskip="No skip" virus=virus dtype=cat <STRONG>ref=fortinet/ve?vid=1 url=N/A carrier_ep="carrier endpoint</STRONG>" profile=N/A profiletype=N/A profilegroup=N/A user=user group=group agent=N/A from=N/A to=N/A</P> <P>example without ref : log_id=0212008452 type=virus subtype=filename pri=warning vd=root msg="Command blocked." status=blocked service=ftp src=172.17.100.230 dst=172.19.125.98 sport=2620 src_port=2620 dport=21 dst_port=21 src_int=lan4 dst_int=wan1 policyid=2044 identidx=0 serial=218566 url=N/A user=N/A group=N/A command=REST</P> Mon, 28 Sep 2020 14:29:49 GMT https://community.splunk.com/t5/Splunk-Search/help-needed-with-splunk-search/m-p/23775#M177485 ssehgal 2020-09-28T14:29:49Z Re: help needed with splunk search https://community.splunk.com/t5/Splunk-Search/help-needed-with-splunk-search/m-p/23776#M177486 <P>Try this</P> <PRE><CODE>index=pci_bpo_index device_id="FG*" type="virus" | fillnull value=" " ref | stats count by log_id subtype msg status devname url ref | sort -10 count </CODE></PRE> <P>which sets <CODE>ref</CODE> to spaces for events that do not have a <CODE>ref</CODE> field.</P> Fri, 02 Aug 2013 20:13:42 GMT https://community.splunk.com/t5/Splunk-Search/help-needed-with-splunk-search/m-p/23776#M177486 lguinn2 2013-08-02T20:13:42Z