Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine multiple searches to get result
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
celerickalyan11
New Member
08-07-2019
11:32 AM
Ex:
index=newIndex host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10
and
index=newIndex host="1.12.123.4*" "Field"="qwer"| stats count as totalcount | where totalcount >= 20
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
08-07-2019
01:00 PM
index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") | stats count as totalcount by Field | where ((Field="abcd" AND totalcount >= 10) OR (Field="qwer" and totalcount >= 20))
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
08-07-2019
03:24 PM
Do not use append. Do not use join. Here are a few good ways:
index=newIndex host="1.12.123.4*" AND (Field="abcd" OR Field="qwer")
| stats count as totalcount BY Field
| where (Field="abcd" AND totalcount >= 10) OR (Field="qwer" AND totalcount >=20)
OR
index=newIndex host="1.12.123.4*" AND (Field="abcd" OR Field="qwer")
| stats count(eval(Field="abcd")) AS abcd count(eval(Field="qwer")) AS qwer
| where (abcd >= 10) OR (qwer >=20)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
08-07-2019
01:04 PM
You may try this as well:
index=newIndex host="1.12.123.4*" "Field"="abcd"
| stats count by totalcount
| where count>=10
| append
[ search index=newIndex host="1.12.123.4*" "Field"="qwer"
| stats count as totalcount
| where totalcount>=20 ]
OR
index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer")
| stats count as totalcount by Field
| where (Field="abcd" AND totalcount>=10) AND (Field="qwer" AND totalcount>=20)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
08-07-2019
01:00 PM
index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") | stats count as totalcount by Field | where ((Field="abcd" AND totalcount >= 10) OR (Field="qwer" and totalcount >= 20))
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafaelsalazar
Path Finder
08-07-2019
01:47 PM
This is the right way.
Both append and join solutions not only are bad practices, but also if dataset is big enough, they will probably hit a conf limit and return less events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
celerickalyan11
New Member
08-07-2019
01:58 PM
Thank you rafael, I think we are missing something in Where clause. Without Where clause I get the result but once I add where clause it throws no results though my count number is quite small.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafaelsalazar
Path Finder
08-07-2019
02:32 PM
Try instead of 10 or 20 a small number like 0 or 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
celerickalyan11
New Member
08-07-2019
02:38 PM
Without Where clause I get 6000+ count , with where clause I get no result. I tried to lower the count like 0, 1. No luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
celerickalyan11
New Member
08-07-2019
03:08 PM
Never mind, I got it. Renamed the field name as my field name has . in it
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
michael_schmidt
Path Finder
08-07-2019
12:57 PM
Try this on for size:
index=newIndex host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10 | join type=outer host [search index=newIndex host="1.12.123.4*" "Field"="qwer"| stats count as totalcount | where totalcount >= 20 ]
Get Updates on the Splunk Community!
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...
Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...
Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...
Reduce and Transform Your Firewall Data with Splunk Data Management
Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...
