Solved: How to combine 2 field searches with multiple valu...

praveenmathew27 · ‎04-30-2019

I want to search the logs that have a combination of source and destination IP's.
For e.g, I want to search the logs where the source is any of (a,b,c,d..etc) and destination is any of (1,2,3,4...etc)

Now for fewer cases, my query would be something like this:-
index=x (source=a OR source=b OR source=c) AND (destination=1 OR destination=2 OR destination=3)

Is there any easier way do the above for larger cases, like if i have 10 source and 10 destination, and I want to check for each combination, wiithout importing a CSV or anything, just basic query?

woodcock · ‎04-30-2019

You can use the IN operator like this:

index=x (source= IN("a", "b", "c") AND (destination IN("1", "2," 3")

You could also exploit 2 lookup file that have these lines:

source
a
b
c
d

Like this:

index=x AND [|inputlookup source.csv | table source] AND [|inputlookup destination.csv | table destination]

You could also use a macro.

View solution in original post

woodcock · ‎04-30-2019

You can use the IN operator like this:

index=x (source= IN("a", "b", "c") AND (destination IN("1", "2," 3")

You could also exploit 2 lookup file that have these lines:

source
a
b
c
d

Like this:

index=x AND [|inputlookup source.csv | table source] AND [|inputlookup destination.csv | table destination]

You could also use a macro.

jodyfsu · ‎04-30-2019

Are either the source or destination of the same subnet? If they are you could do source="10.0.0.*". If not, then you can do the CIDR but that still limits you to a specific range you would just be able to have broader range.

How to combine 2 field searches with multiple values?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM