Hey Splunkers,
I have the following search but it is not working as expected. What I am trying to achieve is if one of the conditions matches I will table out some fields.
condition 1 : if user_action="Update*"
OR
Condition 2: within each 5 min bucket, if any user has access more than 400 destination in the same index, index1
but it doesn't work. How can I check both condition on the same search?
Thanks in advanced!
index=index1
``` condition 1 ```
( user_action="Update*" )
OR
``` condition 2 ```
(
[search index=index1 NOT user IN ("system*", "nobody*")
| bin _time span=5m
| stats values(dest) count by _time, user
| where count > 400 ]
)
| table _time, user, dest
Either one of these:
index=index1 user_action="Update"
| append [search index=index1 NOT user IN ("system*", "nobody*")
| bucket _time span=5m
| stats count as event_ct values(dest) AS dest BY _time user
| where count>400]
| table _time user dest
index=index1
| bucket _time span=5m
| eventstats count AS event_ct BY _time user
| search event_ct>400 OR user_action="Update"
| table _time user dest
It worked! Thanks Johnhuang!
Just literally replace the or with
| append
And remove the next set of parentheses
Thanks for quick reply! but it didn't work
Either one of these:
index=index1 user_action="Update"
| append [search index=index1 NOT user IN ("system*", "nobody*")
| bucket _time span=5m
| stats count as event_ct values(dest) AS dest BY _time user
| where count>400]
| table _time user dest
index=index1
| bucket _time span=5m
| eventstats count AS event_ct BY _time user
| search event_ct>400 OR user_action="Update"
| table _time user dest