Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use OR operator between subsearch and field...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkxorsplunk
Explorer
10-28-2022
04:49 PM
Hey Splunkers,
I have the following search but it is not working as expected. What I am trying to achieve is if one of the conditions matches I will table out some fields.
condition 1 : if user_action="Update*"
OR
Condition 2: within each 5 min bucket, if any user has access more than 400 destination in the same index, index1
but it doesn't work. How can I check both condition on the same search?
Thanks in advanced!
index=index1
``` condition 1 ```
( user_action="Update*" )
OR
``` condition 2 ```
(
[search index=index1 NOT user IN ("system*", "nobody*")
| bin _time span=5m
| stats values(dest) count by _time, user
| where count > 400 ]
)
| table _time, user, dest
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johnhuang
Motivator
10-28-2022
07:38 PM
Either one of these:
index=index1 user_action="Update"
| append [search index=index1 NOT user IN ("system*", "nobody*")
| bucket _time span=5m
| stats count as event_ct values(dest) AS dest BY _time user
| where count>400]
| table _time user dest
index=index1
| bucket _time span=5m
| eventstats count AS event_ct BY _time user
| search event_ct>400 OR user_action="Update"
| table _time user dest- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkxorsplunk
Explorer
10-28-2022
08:36 PM
It worked! Thanks Johnhuang!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johnhuang
Motivator
10-28-2022
04:58 PM
Just literally replace the or with
| append
And remove the next set of parentheses
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkxorsplunk
Explorer
10-28-2022
05:20 PM
Thanks for quick reply! but it didn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johnhuang
Motivator
10-28-2022
07:38 PM
Either one of these:
index=index1 user_action="Update"
| append [search index=index1 NOT user IN ("system*", "nobody*")
| bucket _time span=5m
| stats count as event_ct values(dest) AS dest BY _time user
| where count>400]
| table _time user dest
index=index1
| bucket _time span=5m
| eventstats count AS event_ct BY _time user
| search event_ct>400 OR user_action="Update"
| table _time user dest
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
