Solved: Re: Nested Search Query on across multiple files

tanyongjin · ‎05-08-2017

Hi,

I am trying to do a nested search. in Log A, I want to get all the users who has accessed "X". So my search query is like:

source="my_source" users="" Access="X" | top 0 users*

This allows me to get all the users who accessed X in Log A.

Then in Log B (could be a combination of multiple logs), I wanted to use the results from Log A previously to filter out all the log entries from these returned users.

How can I write my query to retrieve the data from my users?

Thank you.

lguinn2 · ‎05-08-2017

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

View solution in original post

ecanmaster · ‎05-08-2017

looks good
,looks good

lguinn2 · ‎05-08-2017

Try this

NOT [ search source="my_source" users="*" Access="X" | stats count by users | fields users ] (source=B OR source=C)

tanyongjin · ‎05-08-2017

Thanks. After removing the "NOT", I got the results I want.

However, the user search is not case sensitive in 2nd source. How can I enforce case sensitivity in the search?

Thanks again.

Nested Search Query on across multiple files

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

What's New in Splunk Observability - July 2025

Are you a member of the Splunk Community?

Nested Search Query on across multiple files

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

What's New in Splunk Observability - July 2025