Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add multiple field in a single search

jaibalaraman
Path Finder
‎05-23-2024 01:59 AM

Hi 

How to write spl search query by adding multiple field in single search 

 

Field 1 - contain data like authorization " Write or Read " 

Field 2 - contain user id details like " @abc.com , user1, user 2, 

Question 

How to write a spl query 

Index =testing ("write" AND " @abc.com" ) 

spl query to add multiple filed which contain " write " AND "@abc.com" when these condition satisfied an alert has to been sent 

Tags (1)
0 Karma
Reply

norbertt911
Communicator
‎05-23-2024 05:20 AM

May I misunderstand your question, but it's simple:

index= testing field1="write" field2="*@abc.com"

|table field1, field2, ....

if "@abc.com"  is a user name and not a domain (as I assume) you do not need to put the wildcard (*) before. If you put it, it will result in every user with @abc.com. Like, user1@abc.com, user2@abc.com...

alternative:

index=testing | stats count by field1 field2 | search field1="write" AND field2"*@abc.com"

Regards,

0 Karma
Reply

jaibalaraman
Path Finder
‎05-23-2024 04:00 AM

yes i can see the output. However  the search returns based on the string mentioned in the bracket  and also additionally it returns most of other user id 

example - @abc.com , @test.com , testing.@test.co

0 Karma
Reply

jaibalaraman
Path Finder
‎05-23-2024 04:21 AM

Hi please

find the below image 

jaibalaraman_0-1716463297677.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 05:02 AM

Please paste the text (not an image) of the search into code block (otherwise, it is too small to be read easily)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 04:12 AM

Please share some of the events whish are being returned incorrectly (anonymised appropriately)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 02:06 AM

Try

Index=testing ("write" AND " @abc.com" )

What results do you get?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...