Hi all,
I have an intersect search which tries to intersect two search queries with a field. This is the command:
(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]
What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.
The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:
(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]
It seems that when I search for a number (i.e. 1234), the command is not compiled correctly.
Any advice?
Thanks in advance
Simon
in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*
I would do this a different way. Here is the simpliest form:
oper "| in |" 1234
| join TransactionID
[search oper status
| format maxresults=10000 ]
This should work for xdsl
as well as 1234
If you only want to see the TransactionID in the results, you can add the fields command.
oper "| in |" 1234
| fields TransactionID
| join TransactionID
[search oper status
| fields TransactionID
| format maxresults=10000 ]
Some additional facts, which you may already know but some readers may not:
Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:
oper
| in |
1234
But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"
The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234
HTH