https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96608#M182530 <P>Hi all,<BR /> I have an intersect search which tries to intersect two search queries with a field. This is the command:</P> <PRE><CODE>(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ] </CODE></PRE> <P>What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.</P> <P>The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:</P> <PRE><CODE>(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ] </CODE></PRE> <P>It seems that when I search for a number (i.e. 1234), the command is not compiled correctly. </P> <P>Any advice?</P> <P>Thanks in advance</P> <P>Simon</P> Thu, 12 Jul 2012 11:38:43 GMT simonattardGO 2012-07-12T11:38:43Z https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96608#M182530 <P>Hi all,<BR /> I have an intersect search which tries to intersect two search queries with a field. This is the command:</P> <PRE><CODE>(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ] </CODE></PRE> <P>What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.</P> <P>The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:</P> <PRE><CODE>(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ] </CODE></PRE> <P>It seems that when I search for a number (i.e. 1234), the command is not compiled correctly. </P> <P>Any advice?</P> <P>Thanks in advance</P> <P>Simon</P> Thu, 12 Jul 2012 11:38:43 GMT https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96608#M182530 simonattardGO 2012-07-12T11:38:43Z https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96609#M182531 <P>I would do this a different way. Here is the simpliest form:</P> <PRE><CODE>oper "| in |" 1234 | join TransactionID [search oper status | format maxresults=10000 ] </CODE></PRE> <P>This should work for <CODE>xdsl</CODE> as well as <CODE>1234</CODE></P> <P>If you only want to see the TransactionID in the results, you can add the fields command.</P> <PRE><CODE>oper "| in |" 1234 | fields TransactionID | join TransactionID [search oper status | fields TransactionID | format maxresults=10000 ] </CODE></PRE> <P>Some additional facts, which you may already know but some readers may not:</P> <P>Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:</P> <PRE><CODE>oper | in | 1234 </CODE></PRE> <P>But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"</P> <P>The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234</P> <P>HTH</P> Mon, 16 Jul 2012 05:05:57 GMT https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96609#M182531 lguinn2 2012-07-16T05:05:57Z https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96610#M182532 <P>in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*</P> Mon, 09 Mar 2015 10:56:01 GMT https://community.splunk.com/t5/Splunk-Search/Intersect-not-working-properly/m-p/96610#M182532 kartik13 2015-03-09T10:56:01Z