Reporting

Combine searches into 1 search

Builder

Hello,

I have 3 saved searches that are pretty much all the same except for the source. the searches are:

sourcetype="cron_BalanceEmail" source="asia" starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

sourcetype="cron_BalanceEmail" source="info" starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

sourcetype="cron_BalanceEmail" source="org" starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

As you can see all are the same except for the source. I tried altering the search to say maybe source=asia AND info AND org but I must not be getting it right. anyone have any ideas? It's probably right in front of my face but I just can't see it.

Tags (1)

Builder

That worked. Doh! I guess i should have used OR instead of AND...thanks

0 Karma

Motivator

I'm glad that your query works now. Happy splunking 🙂

0 Karma

Motivator

Try this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

I hope this works for you if not let me know.

Chris