Splunk Search

How to Search for the Rows If at Least One Row in the Whole source Meets a Criteria

hpaknia
Explorer

I want to search like:

index=whatever "term_1" AND (at least one event in the source of the found record contains term_2)

Suppose source1 is:
/var/log/source1.log
event 1
event 2 term_2
event 3
event 4 term_1

source2 is:
/var/log/source2.log
event 1
event 2
event 3 term_1

When searching for term_1, I want to see the results only from source1. Because source1 also has an event having term_2 in it.

Labels (1)

muebel
SplunkTrust
SplunkTrust

I'm having difficulty understanding this :grinning_face_with_sweat:. Could you explain what you mean by source?

Perhaps you could drop in literal event samples? I'm not following the example presented.

0 Karma

hpaknia
Explorer

Suppose source1 is:
/var/log/source1.log
event 1
event 2 term_2
event 3
event 4 term_1

source2 is:
/var/log/source2.log
event 1
event 2
event 3 term_1

When searching for term_1, I want to see the results only from source1. Because source1 also has an event having term_2 in it.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Suppose source1 is:
/var/log/source1.log
event 1
event 2 term_2
event 3
event 4 term_1

source2 is:
/var/log/source2.log
event 1
event 2
event 3 term_1

When searching for term_1, I want to see the results only from source1. Because source1 also has an event having term_2 in it.

 

Simply, 

Index=test host=testhost term_1 term_2 (source=source1 OR source=source2)

This will search for term1 AND term2, with source1 OR source2 

I hope that's what u r looking for.

 

 

 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

hpaknia
Explorer

Not exactly. I close this question. I agree that the question is kind of ambiguous. I have to deeply learn how Splunk querying works to find my way around this.

 

Thanks

Update: Not sure how I can close the question without deleting it. 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...