Solved: Search Condition in index

chuck_life09 · ‎11-13-2020

Hi,

I want to search the index with the eventtype which has "service" or "window" in the value

index=sdsf | search eventtype="*service*" or "*window*" | stats count by eventtype

this is not working. can you help if the OR will work or not.

ITWhisperer · ‎11-13-2020

How is it not working? No results or wrong results?

index=sdsf | search eventtype="*service*" or eventtype="*window*"  | stats count by eventtype

View solution in original post

gcusello · ‎11-13-2020

HI @chuck_life09,

try to put the search conditions as in the main search as possible:

index=sdsf (eventtype="*service*" OR eventtype="*window*")  
| stats count by eventtype

Ciao.

Giuseppe

ITWhisperer · ‎11-13-2020

How is it not working? No results or wrong results?

index=sdsf | search eventtype="*service*" or eventtype="*window*"  | stats count by eventtype

chuck_life09 · ‎11-15-2020

Hi,

@ITWhisperer

Thank you this worked, it dint show me results that were pertaining to "service" or "window". now it is showing me the events which has either of those 2 words.

Search Condition in index

subsearch

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All