https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618811#M215065 <P>Thanks for quick reply! but it didn't work</P> Sat, 29 Oct 2022 00:20:14 GMT splunkxorsplunk 2022-10-29T00:20:14Z https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618808#M215063 <P>Hey Splunkers,</P> <P>&nbsp;</P> <P>I have the following search but it is not working as expected. What I am trying to achieve is if one of the conditions matches I will table out some fields.</P> <P>condition 1 : if user_action="Update*"</P> <P>OR&nbsp;</P> <P>Condition 2:&nbsp; within each 5 min bucket, if any user has access more than 400 destination in the same index, index1</P> <P>but it doesn't work. How can I check both condition on the same search?&nbsp;</P> <P>Thanks in advanced!</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=index1 ``` condition 1 ``` ( user_action="Update*" ) OR ``` condition 2 ``` ( [search index=index1 NOT user IN ("system*", "nobody*") | bin _time span=5m | stats values(dest) count by _time, user | where count &gt; 400 ] ) | table _time, user, dest</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 29 Oct 2022 00:42:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618808#M215063 splunkxorsplunk 2022-10-29T00:42:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618810#M215064 <P>Just literally replace the or with</P><P>&nbsp;| append&nbsp;</P><P>And remove the next set of parentheses&nbsp;</P> Fri, 28 Oct 2022 23:59:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618810#M215064 johnhuang 2022-10-28T23:59:18Z https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618811#M215065 <P>Thanks for quick reply! but it didn't work</P> Sat, 29 Oct 2022 00:20:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618811#M215065 splunkxorsplunk 2022-10-29T00:20:14Z https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618813#M215066 <P>Either one of these:</P><LI-CODE lang="markup">index=index1 user_action="Update" | append [search index=index1 NOT user IN ("system*", "nobody*") | bucket _time span=5m | stats count as event_ct values(dest) AS dest BY _time user | where count&gt;400] | table _time user dest index=index1 | bucket _time span=5m | eventstats count AS event_ct BY _time user | search event_ct&gt;400 OR user_action="Update" | table _time user dest</LI-CODE> Sat, 29 Oct 2022 02:38:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618813#M215066 johnhuang 2022-10-29T02:38:56Z https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618815#M215068 <P>It worked! Thanks Johnhuang!</P> Sat, 29 Oct 2022 03:36:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-OR-operator-between-subsearch-and-fields/m-p/618815#M215068 splunkxorsplunk 2022-10-29T03:36:59Z