Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search my Sonicwall logs for multiple values for the same field?

Rockn
New Member
‎07-29-2016 12:35 PM

Very much a newb looking to get some basic information from my Sonicwall logs. Setting up the search using multiple criteria for the same field in the log file is what I am asking. I have a firewall event m=1079 (failed SSL VPN login) and m=1080 (successful). How does one string criteria with an OR?

Is it also possible to limit what is displayed in the search as well as group and count for output to dashboards?

Any good reading material would also be cool.

Thanks

0 Karma
Reply

somesoni2
Revered Legend
‎07-29-2016 01:09 PM

For reading material, Splunk docs is a good place to start
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchTutorial/WelcometotheSearchTutorial

Videos
Basic searching
http://www.splunk.com/view/SP-CAAAGW8
https://www.youtube.com/watch?v=nhq9gjVkovU

To add one or more criteria in your search (using boolean functions), try likes this
Based on fields

index=foo sourcetype=bar (m=1079 OR m=1080)

String search

index=foo sourcetype=bar ("failed SSL VPN login" OR "successfull")
Reply

pradeepkumarg
Influencer
‎07-29-2016 01:09 PM

If you have the field m already extracted then you can do following

 m=1079 OR m=1080

You can limit the data using head or tail commands. Below search will return first 10 occurences for m=1079

m=1079 | head 10

You can group the results by using stats

m=1079 OR m=1080 | stats count by m

Documentation here http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchTutorial/Aboutthesearchapp

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - November 2025

Feature Highlight  Analyze your dimensions and metrics with Usage Analytics  To help optimize telemetry data ...

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...