Solved: combine two searches

msalghamdi · ‎02-02-2025

Dear Splunker

i need a search that gets me if theres a host that has these logs, below is a psudeo search that show what i really want:

index=linux host=* sourcetype=bash_history AND ("systemctl start" OR "systemctl enable") | union [search index=linux host=* sourcetype=bash_history (mv AND /opt/ ) ]

just to make more clearer, i want a match only if a server generated a log that contains "mv AND /opt/" and another log that contains "systemctl start" OR "systemctl enable"

thanks in advance

ITWhisperer · ‎02-02-2025

Try something like this

index=linux host=* sourcetype=bash_history "systemctl start" OR "systemctl enable" OR (mv /opt/)
| eval systemctl=if(searchmatch("systemctl"), "systemctl",null())
| eval mo_opt=if(searchmatch("mv") AND searchmatch("/opt/"), "mv_opt", null())
| stats dc(mv_opt) as mv_opt dc(systemctl) as systemctl by host
| where mv_opt==1 and systemctl==1

View solution in original post

msalghamdi · ‎02-02-2025

it worked, thanks Whisperer, a helping hand as alwas

ITWhisperer · ‎02-02-2025

Try something like this

index=linux host=* sourcetype=bash_history "systemctl start" OR "systemctl enable" OR (mv /opt/)
| eval systemctl=if(searchmatch("systemctl"), "systemctl",null())
| eval mo_opt=if(searchmatch("mv") AND searchmatch("/opt/"), "mv_opt", null())
| stats dc(mv_opt) as mv_opt dc(systemctl) as systemctl by host
| where mv_opt==1 and systemctl==1

combine two searches

join

search job inspector

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application