- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Keep a search from excluding results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search which pulls from two different sourcetypes on the same index. In this search I specifically call out '| search <field>=blah', however only one of the sourcetypes contains that field so the search effectively excludes all data from the other sourcetype.
As I have to keep my search setup like so 'index=blah sourcetype=1 OR sourcetype=2 |...| stats count by sourcetype' I cannot simply append them together like I'd hoped. Additionally, searching for my field parameter in that setup does the same exclusion of data, ex: index=blah sourcetype=1 field="blah" OR sourcetype=2 | ...| stats count by sourcetype'.
My question being, is there a way to run this query with my specific field search that won't exclude the data from the second sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, like this (using parentheses to ensure proper logic):
index=blah ((sourcetype=1 field="blah") OR (sourcetype=2)) | ...| stats count by sourcetype'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to both of you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a few options. Parenthesis is one option... e.g.
index=blah ( (sourcetype=1 field="blah") OR sourcetype=2 ) | ... | stats count by sourcetype
Another option may be multisearch
| multisearch [search index=blah sourcetype=1 field="blah"] [search index=blah sourcetype=2] | ... | stats count by sourcetype
(multisearch is cooler when you have different streaming commands to apply to each subsearch.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, like this (using parentheses to ensure proper logic):
index=blah ((sourcetype=1 field="blah") OR (sourcetype=2)) | ...| stats count by sourcetype'
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
