Splunk Search

Intersect not working properly?

Path Finder

Hi all,
I have an intersect search which tries to intersect two search queries with a field. This is the command:

(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.

The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:

(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

It seems that when I search for a number (i.e. 1234), the command is not compiled correctly.

Any advice?

Thanks in advance


Tags (1)
0 Karma


in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*

0 Karma


I would do this a different way. Here is the simpliest form:

oper "| in |" 1234
| join TransactionID
   [search oper status 
    | format maxresults=10000 ]

This should work for xdsl as well as 1234

If you only want to see the TransactionID in the results, you can add the fields command.

oper "| in |" 1234
| fields TransactionID
| join TransactionID
   [search oper status 
    | fields TransactionID
    | format maxresults=10000 ]

Some additional facts, which you may already know but some readers may not:

Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:

| in |

But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"

The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234


0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...