https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688421#M234701 <P>Hi&nbsp;</P><P>How to write spl search query by adding multiple field in single search&nbsp;</P><P>&nbsp;</P><P>Field 1 - contain data like authorization " Write or Read "&nbsp;</P><P>Field 2 - contain user id details like "&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com , user1, user 2,&nbsp;</P><P>Question&nbsp;</P><P>How to write a spl query&nbsp;</P><P>Index =testing ("write" AND "&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com" )&nbsp;</P><P>spl query to add multiple filed which contain " write " AND "@abc.com" when these condition satisfied an alert has to been sent&nbsp;</P> Thu, 23 May 2024 08:59:21 GMT jaibalaraman 2024-05-23T08:59:21Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688421#M234701 <P>Hi&nbsp;</P><P>How to write spl search query by adding multiple field in single search&nbsp;</P><P>&nbsp;</P><P>Field 1 - contain data like authorization " Write or Read "&nbsp;</P><P>Field 2 - contain user id details like "&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com , user1, user 2,&nbsp;</P><P>Question&nbsp;</P><P>How to write a spl query&nbsp;</P><P>Index =testing ("write" AND "&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com" )&nbsp;</P><P>spl query to add multiple filed which contain " write " AND "@abc.com" when these condition satisfied an alert has to been sent&nbsp;</P> Thu, 23 May 2024 08:59:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688421#M234701 jaibalaraman 2024-05-23T08:59:21Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688422#M234702 <P>Try</P><LI-CODE lang="markup">Index=testing ("write" AND " <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com" ) </LI-CODE><P>What results do you get?</P> Thu, 23 May 2024 09:06:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688422#M234702 ITWhisperer 2024-05-23T09:06:55Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688450#M234705 <P>yes i can see the output. However&nbsp; the search returns based on the string mentioned in the bracket&nbsp; and also additionally it returns most of other user id&nbsp;</P><P>example -&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com ,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230991">@test</a>.com , testing.@test.co</P> Thu, 23 May 2024 11:00:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688450#M234705 jaibalaraman 2024-05-23T11:00:43Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688453#M234706 <P>Please share some of the events whish are being returned incorrectly (anonymised appropriately)</P> Thu, 23 May 2024 11:12:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688453#M234706 ITWhisperer 2024-05-23T11:12:48Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688458#M234707 <P>Hi please</P><P>find the below image&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaibalaraman_0-1716463297677.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30938iD3088595D176FB5F/image-size/medium?v=v2&amp;px=400" role="button" title="jaibalaraman_0-1716463297677.png" alt="jaibalaraman_0-1716463297677.png" /></span></P><P>&nbsp;</P> Thu, 23 May 2024 11:21:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688458#M234707 jaibalaraman 2024-05-23T11:21:48Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688462#M234708 <P>Please paste the text (not an image) of the search into code block (otherwise, it is too small to be read easily)</P> Thu, 23 May 2024 12:02:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688462#M234708 ITWhisperer 2024-05-23T12:02:17Z https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688465#M234710 <P>May I misunderstand your question, but it's simple:</P> <LI-CODE lang="markup">index= testing field1="write" field2="*@abc.com" |table field1, field2, ....</LI-CODE> <P>if "@abc.com"&nbsp; is a user name and not a domain (as I assume) you do not need to put the wildcard (*) before. If you put it, it will result in every user with&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265221">@abc</a>.com. Like, <A href="mailto:user1@abc.com," target="_blank" rel="noopener">user1@abc.com,</A>&nbsp;<A href="mailto:user2@abc.com.." target="_blank" rel="noopener">user2@abc.com..</A>.</P> <P>alternative:</P> <LI-CODE lang="markup">index=testing | stats count by field1 field2 | search field1="write" AND field2"*@abc.com"</LI-CODE> <P>Regards,</P> Thu, 23 May 2024 14:35:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-multiple-field-in-a-single-search/m-p/688465#M234710 norbertt911 2024-05-23T14:35:56Z