Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why does the multisearch command only return r...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luisterra
Explorer
04-26-2016
02:35 AM
Hi,
I'm on 6.1.1 and I need to search two different indexes, so I thought the multisearch command would be up for the job.
The first search is:
index=a sourcetype=b f1!="" f2!="stuff" f2!="stuff" f2!="sti=stuff"
| rex max_match=0 field=f3 "\/\/(?P<nf>[a-zA-Z0-9\-\.]+)"
| regex fqdn="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search NOT [|inputlookup file1 | fields xf4 | rename f4 as f4]
| fields f1 f2 f3 f4 f5 f6 f7
| fields - _raw
| mvexpand f5
| search f5!=*.jpg f5!=*.jpeg f5!=*.gif f5!=*.txt f5!=*.png
| mvexpand nf
| regex nf="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| regex f5="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search nf!="10.0.0.0/8" nf!="172.16.0.0/12" nf!="127.0.0.1" nf!="192.168.0.0/16"
| eval check=1
Second search:
index=c sourcetype=d earliest=-2d f9=0 f10=0
| regex b_f="^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| fields b_f
| eval check=2
With multisearch:
|multisearch
[search index=a sourcetype=b f1!="" f2!="stuff" f2!="stuff" f2!="sti=stuff"
| rex max_match=0 field=f3 "\/\/(?P<nf>[a-zA-Z0-9\-\.]+)"
| regex fqdn="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search NOT [|inputlookup file1 | fields xf4 | rename f4 as f4]
| fields f1 f2 f3 f4 f5 f6 f7
| fields - _raw
| mvexpand f5
| search f5!=*.jpg f5!=*.jpeg f5!=*.gif f5!=*.txt f5!=*.png
| mvexpand nf
| regex nf="(^|\s)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| regex f5="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| search nf!="10.0.0.0/8" nf!="172.16.0.0/12" nf!="127.0.0.1" nf!="192.168.0.0/16"
| eval check=1]
[search index=c sourcetype=d earliest=-2d f9=0 f10=0
| regex b_f="^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| fields b_f
| eval check=2]
Both searches return events I run them on their own, but with multisearch, no joy.
Am I missing something?
Why do I only get results from the second search?
thanks in advance for any pointers!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luisterra
Explorer
04-26-2016
03:42 AM
I think I got it.
I thought the issue was with my multisearch, but in fact it is to do with the dedup that follows it!
|multisearch
[search1]
[search2]
| dedup b_f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
luisterra
Explorer
04-26-2016
03:42 AM
I think I got it.
I thought the issue was with my multisearch, but in fact it is to do with the dedup that follows it!
|multisearch
[search1]
[search2]
| dedup b_f
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
