topic How to apply multiple criteria in a single Splunk search? in Splunk Search

How to apply multiple criteria in a single Splunk search?

splunkrocks2014 — Tue, 29 Sep 2020 09:16:41 GMT

Hi All,

I try to create a saved search to fit into the following logic. How can I combine multiple criteria into one single Splunk search? Thanks.

sourcetype=xyz
c_application starts with Mozilla AND
(
(file_name starts with "mabcd" AND
url matches "http://[a-z]{4\,8}-[a-z]{1\,7}\.net/[a-z]{4\,8}\.php$"
) OR
( path ends with "==" AND
url matches "http://[a-z]{14\,21}\.net/[a-z]{4\,8}\.php$"
) OR
url matches "[a-z]{4,10}/[a-z_-]{139,157}.(php|html)"
)

Re: How to apply multiple criteria in a single Splunk search?

somesoni2 — Thu, 31 Mar 2016 20:11:08 GMT

Try like this

**Its good to add index as well for faster searching, if possible.

index=yourindex sourcetype=xyz c_application=Mozilla* | where (like(file_name,"mabcd%")  AND match(url,"http:\/\/[a-z]{4,8}-[a-z]{1,7}\.net\/[a-z]{4,8}\.php$" ) OR ( like(path,"%==") AND match(url, "http:\/\/[a-z]{14,21}\.net\/[a-z]{4,8}\.php$") ) OR (match(url, "[a-z]{4,10}\/[a-z_-]{139,157}.(php|html)$"))