Splunk Search

OR contition simulation between two search query

karakutu
Path Finder

since one of the username need to be simulate with regex query . I am forced to use regex

how can I do it so that I simulate kind of OR condition between main and sub search query

index=main
suser IN("abc","def")
| search  regex suser =”DEF[0-9]"
AND EventID IN("323","322")
 
Thanks
 
 
 
Labels (1)
Tags (1)
1 Solution

inventsekar
Super Champion

index=main suser IN("abc","def") [search regex suser =”DEF[0-9]" AND EventID IN("323","322") | fields suser] | table suser field1 field2

i am little confused about this OR requirement and i am little confused on the regex inside subsearch as well. maybe if you give us some sample logs, the subsearch may not be needed altogether. h

 

(i received 100 karma points giver badge, have you?!?!)

View solution in original post

karakutu
Path Finder

thanks for your support. sample log I can not give.

 

the problem is I have a special username which need to be simulate with regex.

since I can not user regex into IN function.   so I just want to simulate it separately. 

maybe I use unnecessary function. maybe we can do it much easier. I am not sure.

 

 

inventsekar
Super Champion

no need to write us the full logs. you can hide/edit the hostnames/confidential info in the logs and update us the sample log. 

0 Karma

inventsekar
Super Champion

index=main suser IN("abc","def") [search regex suser =”DEF[0-9]" AND EventID IN("323","322") | fields suser] | table suser field1 field2

i am little confused about this OR requirement and i am little confused on the regex inside subsearch as well. maybe if you give us some sample logs, the subsearch may not be needed altogether. h

 

(i received 100 karma points giver badge, have you?!?!)

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!