Solved: How to apply multiple criteria in a single Splunk ...

splunkrocks2014 · ‎03-31-2016

Hi All,

I try to create a saved search to fit into the following logic. How can I combine multiple criteria into one single Splunk search? Thanks.

sourcetype=xyz
capplication starts with Mozilla AND
(
(filename starts with "mabcd" AND
url matches "http://[a-z]{4\,8}-[a-z]{1\,7}\.net/[a-z]{4\,8}\.php$"
) OR
( path ends with "==" AND
url matches "http://[a-z]{14\,21}\.net/[a-z]{4\,8}\.php$"
) OR
url matches "[a-z]{4,10}/[a-z_-]{139,157}.(php|html)"
)

somesoni2 · ‎03-31-2016

Try like this

**Its good to add index as well for faster searching, if possible.

index=yourindex sourcetype=xyz c_application=Mozilla* | where (like(file_name,"mabcd%")  AND match(url,"http:\/\/[a-z]{4,8}-[a-z]{1,7}\.net\/[a-z]{4,8}\.php$" ) OR ( like(path,"%==") AND match(url, "http:\/\/[a-z]{14,21}\.net\/[a-z]{4,8}\.php$") ) OR (match(url, "[a-z]{4,10}\/[a-z_-]{139,157}.(php|html)$"))

View solution in original post

somesoni2 · ‎03-31-2016

Try like this

**Its good to add index as well for faster searching, if possible.

index=yourindex sourcetype=xyz c_application=Mozilla* | where (like(file_name,"mabcd%")  AND match(url,"http:\/\/[a-z]{4,8}-[a-z]{1,7}\.net\/[a-z]{4,8}\.php$" ) OR ( like(path,"%==") AND match(url, "http:\/\/[a-z]{14,21}\.net\/[a-z]{4,8}\.php$") ) OR (match(url, "[a-z]{4,10}\/[a-z_-]{139,157}.(php|html)$"))

View solution in original post

How to apply multiple criteria in a single Splunk search?