Hi all,
I have an intersect search which tries to intersect two search queries with a field. This is the command:

(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.

The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:

(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

It seems that when I search for a number (i.e. 1234), the command is not compiled correctly.

Any advice?

Thanks in advance


in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*

I would do this a different way. Here is the simpliest form:

oper "| in |" 1234
| join TransactionID
   [search oper status 
    | format maxresults=10000 ]

This should work for xdsl as well as 1234

If you only want to see the TransactionID in the results, you can add the fields command.

oper "| in |" 1234
| fields TransactionID
| join TransactionID
   [search oper status 
    | fields TransactionID
    | format maxresults=10000 ]

Some additional facts, which you may already know but some readers may not:

Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:

| in |

But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"

The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234


