Splunk search help -- output data should match set...

dantimola · ‎09-21-2017

Hi, Fellow Splunkers,

Had post a question this past few days about matching 2 words or more ( https://answers.splunk.com/answers/577564/splunk-search-help-output-data-should-match-2-or-m.html), however, this case is working if you have to match 1 word only, my problem is that I have to match 3 sets of words for my output. For example:

case 1: Apple Banana Cupcake
case 2: foo1 foo2 foo3
case 3: food drinks people

Field = The Apple and Banana are fruit (matched word are in case 1: Apple and Banana)

Can I possibly do this in Splunk search? Thanks in advance.

inventsekar · ‎09-21-2017

not sure of "my problem is that I have to match 3 sets of words for my output",
but if the query words can be searched together..

  .....| rex "(?i)(?Apple|Banana|Cupcake|foo1|foo2|foo3|food|drinks|people)" max_match=0

       | where mvcount(matchword)>1

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Splunk search help -- output data should match sets of keywords