Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Keep a search from excluding results

pepper_seattle
Path Finder
‎06-19-2015 09:30 AM

I have a search which pulls from two different sourcetypes on the same index. In this search I specifically call out '| search <field>=blah', however only one of the sourcetypes contains that field so the search effectively excludes all data from the other sourcetype.

As I have to keep my search setup like so 'index=blah sourcetype=1 OR sourcetype=2 |...| stats count by sourcetype' I cannot simply append them together like I'd hoped. Additionally, searching for my field parameter in that setup does the same exclusion of data, ex: index=blah sourcetype=1 field="blah" OR sourcetype=2 | ...| stats count by sourcetype'.

My question being, is there a way to run this query with my specific field search that won't exclude the data from the second sourcetype?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-19-2015 09:35 AM

If I understand you correctly, like this (using parentheses to ensure proper logic):

index=blah ((sourcetype=1 field="blah") OR (sourcetype=2)) | ...| stats count by sourcetype'

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pepper_seattle
Path Finder
‎06-19-2015 09:42 AM

Thanks to both of you!

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-19-2015 09:37 AM

There are a few options. Parenthesis is one option... e.g. 

index=blah ( (sourcetype=1 field="blah") OR sourcetype=2 ) | ... | stats count by sourcetype

Another option may be multisearch

| multisearch [search index=blah sourcetype=1 field="blah"] [search index=blah sourcetype=2] | ... | stats count by sourcetype

(multisearch is cooler when you have different streaming commands to apply to each subsearch.)

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-19-2015 09:35 AM

If I understand you correctly, like this (using parentheses to ensure proper logic):

index=blah ((sourcetype=1 field="blah") OR (sourcetype=2)) | ...| stats count by sourcetype'
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...