Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Nested Search Query on across multiple files

tanyongjin
Explorer
‎05-08-2017 08:49 PM

Hi,

I am trying to do a nested search. in Log A, I want to get all the users who has accessed "X". So my search query is like:

source="my_source" users="" Access="X" | top 0 users*

This allows me to get all the users who accessed X in Log A.

Then in Log B (could be a combination of multiple logs), I wanted to use the results from Log A previously to filter out all the log entries from these returned users.

How can I write my query to retrieve the data from my users?

Thank you.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-08-2017 10:07 PM

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ecanmaster
Explorer
‎05-08-2017 11:40 PM

looks good
,looks good

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-08-2017 10:07 PM

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)
0 Karma
Reply
Solved! Jump to solution

tanyongjin
Explorer
‎05-08-2017 10:58 PM

Thanks. After removing the "NOT", I got the results I want.

However, the user search is not case sensitive in 2nd source. How can I enforce case sensitivity in the search?

Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...