Solved: Nested Search Query on across multiple files

tanyongjin · ‎05-08-2017

Hi,

I am trying to do a nested search. in Log A, I want to get all the users who has accessed "X". So my search query is like:

source="my_source" users="" Access="X" | top 0 users*

This allows me to get all the users who accessed X in Log A.

Then in Log B (could be a combination of multiple logs), I wanted to use the results from Log A previously to filter out all the log entries from these returned users.

How can I write my query to retrieve the data from my users?

Thank you.

lguinn2 · ‎05-08-2017

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

View solution in original post

ecanmaster · ‎05-08-2017

looks good
,looks good

lguinn2 · ‎05-08-2017

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

tanyongjin · ‎05-08-2017

Thanks. After removing the "NOT", I got the results I want.

However, the user search is not case sensitive in 2nd source. How can I enforce case sensitivity in the search?

Thanks again.

Nested Search Query on across multiple files

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life