topic Re: Why is the top command not working when searching in two indexes? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275528#M83110 <P>use double quote when for sourcetype=intel:dlp ---- sourcetype="intel:dlp"</P> Fri, 09 Dec 2016 03:50:58 GMT puneethgowda 2016-12-09T03:50:58Z Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275526#M83108 <P>Hello all,</P> <P>For some reason, the search below isn't working for me... I am trying to search for the Top 25 Business Units that have triggered a DLP incident and sort it by those incidents... Unsure if it's the lack of caffeine, but I was under the impression this would work...</P> <PRE><CODE>(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory) IncidentType="*" department="*" | Top 25 department | sort by IncidentType </CODE></PRE> <P>Greatly appreciate your inputs.</P> Fri, 09 Dec 2016 00:41:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275526#M83108 lmedina 2016-12-09T00:41:02Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275527#M83109 <P>Try this</P> <PRE><CODE>(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory) IncidentType="" department="" | top 25 department by IncidentType | sort by IncidentType </CODE></PRE> Fri, 09 Dec 2016 03:46:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275527#M83109 sundareshr 2016-12-09T03:46:21Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275528#M83110 <P>use double quote when for sourcetype=intel:dlp ---- sourcetype="intel:dlp"</P> Fri, 09 Dec 2016 03:50:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275528#M83110 puneethgowda 2016-12-09T03:50:58Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275529#M83111 <P>Thank you sundareshr - but still no data... I've been trying other constants but no results.</P> Fri, 09 Dec 2016 05:26:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275529#M83111 lmedina 2016-12-09T05:26:12Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275530#M83112 <P>Thank you puneethgowda - but still no data... I've been trying other constants but no results.</P> Fri, 09 Dec 2016 05:26:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275530#M83112 lmedina 2016-12-09T05:26:53Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275531#M83113 <P>index=dlp sourcetype=intel:dlp OR index=msad sourcetype=ActiveDirectory </P> <P>Try this</P> Fri, 09 Dec 2016 05:29:41 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275531#M83113 puneethgowda 2016-12-09T05:29:41Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275532#M83114 <P>index="dlp" sourcetype="intel:dlp" OR index="msad" sourcetype="ActiveDirectory"</P> <P>add double quote</P> Fri, 09 Dec 2016 05:30:25 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275532#M83114 puneethgowda 2016-12-09T05:30:25Z Re: Why is the top command not working when searching in two indexes? https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275533#M83115 <P>Nope...</P> <P>This is when the data comes...</P> <P>(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory)</P> Fri, 09 Dec 2016 05:48:25 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-top-command-not-working-when-searching-in-two-indexes/m-p/275533#M83115 lmedina 2016-12-09T05:48:25Z