Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Nested Search Query on across multiple files

tanyongjin
Explorer
‎05-08-2017 08:49 PM

Hi,

I am trying to do a nested search. in Log A, I want to get all the users who has accessed "X". So my search query is like:

source="my_source" users="" Access="X" | top 0 users*

This allows me to get all the users who accessed X in Log A.

Then in Log B (could be a combination of multiple logs), I wanted to use the results from Log A previously to filter out all the log entries from these returned users.

How can I write my query to retrieve the data from my users?

Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-08-2017 10:07 PM

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ecanmaster
Explorer
‎05-08-2017 11:40 PM

looks good
,looks good

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-08-2017 10:07 PM

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)
0 Karma
Reply
Solved! Jump to solution

tanyongjin
Explorer
‎05-08-2017 10:58 PM

Thanks. After removing the "NOT", I got the results I want.

However, the user search is not case sensitive in 2nd source. How can I enforce case sensitivity in the search?

Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...