topic Re: How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria in Splunk Search

How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria

hpaknia — Thu, 06 Jan 2022 21:33:36 GMT

I want to search like:

index=whatever "term_1" AND (at least one event in the source of the found record contains term_2)

Suppose source1 is:
/var/log/source1.log
event 1
event 2 term_2
event 3
event 4 term_1

source2 is:
/var/log/source2.log
event 1
event 2
event 3 term_1

When searching for term_1, I want to see the results only from source1. Because source1 also has an event having term_2 in it.

Re: How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria

muebel — Thu, 06 Jan 2022 21:00:42 GMT

I'm having difficulty understanding this 😅. Could you explain what you mean by source?

Perhaps you could drop in literal event samples? I'm not following the example presented.

Re: How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria

hpaknia — Thu, 06 Jan 2022 21:32:47 GMT

Re: How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria

inventsekar — Fri, 07 Jan 2022 00:24:54 GMT

Simply,

Index=test host=testhost term_1 term_2 (source=source1 OR source=source2)

This will search for term1 AND term2, with source1 OR source2

I hope that's what u r looking for.

Re: How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria

hpaknia — Fri, 07 Jan 2022 05:46:00 GMT

Not exactly. I close this question. I agree that the question is kind of ambiguous. I have to deeply learn how Splunk querying works to find my way around this.

Thanks

Update: Not sure how I can close the question without deleting it.