https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216572#M63560 <P>I have events in which Field1 contains multiple values, but I only need to look for two values (foo AND bar) and tie them to Field2. What's the most efficient way to craft this search?</P> <P>I'm basically looking for events to be returned in which Field2 has both 'foo' AND 'bar' in Field1.</P> <P>Thx</P> Tue, 23 Feb 2016 16:20:56 GMT jwalzerpitt 2016-02-23T16:20:56Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216572#M63560 <P>I have events in which Field1 contains multiple values, but I only need to look for two values (foo AND bar) and tie them to Field2. What's the most efficient way to craft this search?</P> <P>I'm basically looking for events to be returned in which Field2 has both 'foo' AND 'bar' in Field1.</P> <P>Thx</P> Tue, 23 Feb 2016 16:20:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216572#M63560 jwalzerpitt 2016-02-23T16:20:56Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216573#M63561 <P>I do have the following query:</P> <P>index=indexname Field1=foo OR Field1=bar | stats values(Field1), dc(Field1) by Field2</P> <P>But if I change the 'OR' to 'AND' it kills the query</P> <P>Thx</P> Tue, 23 Feb 2016 16:53:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216573#M63561 jwalzerpitt 2016-02-23T16:53:18Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216574#M63562 <P>I'm guessing that field1 in its original context is not a multivalue field. So what you need is an additional search command after your stats command. </P> <PRE><CODE>index=indexname Field1=foo OR Field1=bar | stats values(Field1), dc(Field1) by Field2 | search (Field1=foo AND Field1=bar) </CODE></PRE> Tue, 23 Feb 2016 17:43:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216574#M63562 jplumsdaine22 2016-02-23T17:43:56Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216575#M63563 <P>Thx for the reply - actually Field1 is the multivalue field (it has seven total values, but I'm only looking to pull two)</P> Tue, 23 Feb 2016 18:04:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216575#M63563 jwalzerpitt 2016-02-23T18:04:54Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216576#M63564 <P>And i just realized one flaw in my logic in that Field1 will always be an 'OR' as the even though Field2 can have one of the two Field1 values, it will be one value per event. Field2 will never have 'foo' and 'bar' in the same event.</P> Tue, 23 Feb 2016 18:09:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216576#M63564 jwalzerpitt 2016-02-23T18:09:41Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216577#M63565 <P>I've been running the following query below and I believe I'm getting the results I need. Would be interested to see if someone could runt he same query and check if they're getting the results they'd expect as well.</P> <PRE><CODE>index=indexname Field1=foo OR Field1=bar | stats values(Field1), dc(Field1) as Total by Field2 | where Total &gt;=2 </CODE></PRE> <P>Thx</P> Wed, 24 Feb 2016 14:42:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-return-events-where-Field2-has-both/m-p/216577#M63565 jwalzerpitt 2016-02-24T14:42:30Z