Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Nested Search Query on across multiple files

tanyongjin
Explorer
‎05-08-2017 08:49 PM

Hi,

I am trying to do a nested search. in Log A, I want to get all the users who has accessed "X". So my search query is like:

source="my_source" users="" Access="X" | top 0 users*

This allows me to get all the users who accessed X in Log A.

Then in Log B (could be a combination of multiple logs), I wanted to use the results from Log A previously to filter out all the log entries from these returned users.

How can I write my query to retrieve the data from my users?

Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-08-2017 10:07 PM

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ecanmaster
Explorer
‎05-08-2017 11:40 PM

looks good
,looks good

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-08-2017 10:07 PM

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)
0 Karma
Reply
Solved! Jump to solution

tanyongjin
Explorer
‎05-08-2017 10:58 PM

Thanks. After removing the "NOT", I got the results I want.

However, the user search is not case sensitive in 2nd source. How can I enforce case sensitivity in the search?

Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...