I have an intersect search which tries to intersect two search queries with a field. This is the command:
(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]
What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.
The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:
(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]
It seems that when I search for a number (i.e. 1234), the command is not compiled correctly.
Thanks in advance
in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*
I would do this a different way. Here is the simpliest form:
oper "| in |" 1234 | join TransactionID [search oper status | format maxresults=10000 ]
This should work for
xdsl as well as
If you only want to see the TransactionID in the results, you can add the fields command.
oper "| in |" 1234 | fields TransactionID | join TransactionID [search oper status | fields TransactionID | format maxresults=10000 ]
Some additional facts, which you may already know but some readers may not:
Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:
oper | in | 1234
But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"
The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234