Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add multiple field in a single search

jaibalaraman
Path Finder
‎05-23-2024 01:59 AM

Hi 

How to write spl search query by adding multiple field in single search 

 

Field 1 - contain data like authorization " Write or Read " 

Field 2 - contain user id details like " @abc.com , user1, user 2, 

Question 

How to write a spl query 

Index =testing ("write" AND " @abc.com" ) 

spl query to add multiple filed which contain " write " AND "@abc.com" when these condition satisfied an alert has to been sent 

Tags (1)
0 Karma
Reply

norbertt911
Communicator
‎05-23-2024 05:20 AM

May I misunderstand your question, but it's simple:

index= testing field1="write" field2="*@abc.com"

|table field1, field2, ....

if "@abc.com"  is a user name and not a domain (as I assume) you do not need to put the wildcard (*) before. If you put it, it will result in every user with @abc.com. Like, user1@abc.com, user2@abc.com...

alternative:

index=testing | stats count by field1 field2 | search field1="write" AND field2"*@abc.com"

Regards,

0 Karma
Reply

jaibalaraman
Path Finder
‎05-23-2024 04:00 AM

yes i can see the output. However  the search returns based on the string mentioned in the bracket  and also additionally it returns most of other user id 

example - @abc.com , @test.com , testing.@test.co

0 Karma
Reply

jaibalaraman
Path Finder
‎05-23-2024 04:21 AM

Hi please

find the below image 

jaibalaraman_0-1716463297677.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 05:02 AM

Please paste the text (not an image) of the search into code block (otherwise, it is too small to be read easily)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 04:12 AM

Please share some of the events whish are being returned incorrectly (anonymised appropriately)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 02:06 AM

Try

Index=testing ("write" AND " @abc.com" )

What results do you get?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...