https://community.splunk.com/t5/Splunk-Search/Clarification-on-the-search-using-OR/m-p/169377#M48389 <P>Hi,</P> <P>There are logs coming from two sources (xxx.success, yyy.error) into one index.Fields are to be extracted from the events of these three sources. The information to be extracted are specific to each of the files. But one search query has to be framed for success and error events from the respective files. There are no overlapping information/values between two files. However search query should not be two queries rather one. </P> <P>xxx.success :</P> <P><A href="SW:HandlefileTransfer">SW:HandlefileTransfer</A><BR /> .<BR /> .<BR /> .<BR /> <A href="https://answers.splunk.comSW:HandlefileTransfer">/SW:HandlefileTransfer</A></P> <P>yyy.error : </P> <P>.<BR /> <A href="SW:GblStatus">SW:GblStatus</A><BR /> .<BR /> .<BR /> .<A href="SW:Text">SW:Text</A>Error occurred....<A href="https://answers.splunk.comSW:Text">/SW:Text</A></P> <PRE><CODE> . &lt;SW:GblStatus&gt; </CODE></PRE> <P>.<BR /> .</P> <P>Solution 1:</P> <P>We framed the search query like</P> <P>index =fxr |source = "xxx.success" OR source = "yyy.error" |(Extraction of fields using rex command)</P> <P>If the search is to be performed this way, to get successful events the query will unnecessarily search in error events and to get error events the query will unnecessarily search in successful events thereby doing two unnecessary searches taking more time. </P> <P>Can you tell an alternative way or suggest some other way to handle this scenario?</P> <P>Solution 2:</P> <P>Transformation of the logs after combining the logs from two sources into a single file and adding additional tag to the events so as to differentiate the sources from each other like</P> <P><SUCCESS><BR /> <A href="SW:HandlefileTransfer">SW:HandlefileTransfer</A><BR /> .<BR /> .<BR /> .<BR /> ..<BR /> <A href="https://answers.splunk.comSW:HandlefileTransfer">/SW:HandlefileTransfer</A><BR /> </SUCCESS><BR /> <ERROR><BR /> <A href="SW:GblStatus">SW:GblStatus</A><BR /> .<BR /> .<BR /> .<A href="SW:Text">SW:Text</A>Error occurred....<A href="https://answers.splunk.comSW:Text">/SW:Text</A></ERROR></P> <PRE><CODE> . &lt;SW:GblStatus&gt; &lt;/Error&gt; </CODE></PRE> <P>As extra tag is added around the incoming data, we can eliminate the unnecessary search (as mentioned above) and thus reducing the time. Please advise.</P> Mon, 19 May 2014 07:58:53 GMT Jananee_iNautix 2014-05-19T07:58:53Z https://community.splunk.com/t5/Splunk-Search/Clarification-on-the-search-using-OR/m-p/169377#M48389 <P>Hi,</P> <P>There are logs coming from two sources (xxx.success, yyy.error) into one index.Fields are to be extracted from the events of these three sources. The information to be extracted are specific to each of the files. But one search query has to be framed for success and error events from the respective files. There are no overlapping information/values between two files. However search query should not be two queries rather one. </P> <P>xxx.success :</P> <P><A href="SW:HandlefileTransfer">SW:HandlefileTransfer</A><BR /> .<BR /> .<BR /> .<BR /> <A href="https://answers.splunk.comSW:HandlefileTransfer">/SW:HandlefileTransfer</A></P> <P>yyy.error : </P> <P>.<BR /> <A href="SW:GblStatus">SW:GblStatus</A><BR /> .<BR /> .<BR /> .<A href="SW:Text">SW:Text</A>Error occurred....<A href="https://answers.splunk.comSW:Text">/SW:Text</A></P> <PRE><CODE> . &lt;SW:GblStatus&gt; </CODE></PRE> <P>.<BR /> .</P> <P>Solution 1:</P> <P>We framed the search query like</P> <P>index =fxr |source = "xxx.success" OR source = "yyy.error" |(Extraction of fields using rex command)</P> <P>If the search is to be performed this way, to get successful events the query will unnecessarily search in error events and to get error events the query will unnecessarily search in successful events thereby doing two unnecessary searches taking more time. </P> <P>Can you tell an alternative way or suggest some other way to handle this scenario?</P> <P>Solution 2:</P> <P>Transformation of the logs after combining the logs from two sources into a single file and adding additional tag to the events so as to differentiate the sources from each other like</P> <P><SUCCESS><BR /> <A href="SW:HandlefileTransfer">SW:HandlefileTransfer</A><BR /> .<BR /> .<BR /> .<BR /> ..<BR /> <A href="https://answers.splunk.comSW:HandlefileTransfer">/SW:HandlefileTransfer</A><BR /> </SUCCESS><BR /> <ERROR><BR /> <A href="SW:GblStatus">SW:GblStatus</A><BR /> .<BR /> .<BR /> .<A href="SW:Text">SW:Text</A>Error occurred....<A href="https://answers.splunk.comSW:Text">/SW:Text</A></ERROR></P> <PRE><CODE> . &lt;SW:GblStatus&gt; &lt;/Error&gt; </CODE></PRE> <P>As extra tag is added around the incoming data, we can eliminate the unnecessary search (as mentioned above) and thus reducing the time. Please advise.</P> Mon, 19 May 2014 07:58:53 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-on-the-search-using-OR/m-p/169377#M48389 Jananee_iNautix 2014-05-19T07:58:53Z https://community.splunk.com/t5/Splunk-Search/Clarification-on-the-search-using-OR/m-p/169378#M48390 <P>First of all your first search is incorrect, but I'm assuming it's pseudo-code?</P> <P>Could you please explain what you mean by that it's performing "unnecessary" searches? If you want to find events from xxx.success and yyy.error there's obviously no way around that you'd have to search xxx.success and yyy.error for that. Where does the "unnecessary" part come in?</P> <P>If you mean that it's somehow more resource-consuming to search for two different sources instead of just one, that isn't the case. With HUGE numbers of search terms this can be the case but we're talking about thousands of search terms before you might be seeing a performance impact.</P> Mon, 19 May 2014 08:16:46 GMT https://community.splunk.com/t5/Splunk-Search/Clarification-on-the-search-using-OR/m-p/169378#M48390 Ayn 2014-05-19T08:16:46Z