Splunk Search

how to make a search for two or more source file with wildcard or regex?

iamuser
Engager

What search criteria should I include to only get these logs?

D:\Applications\Windows.App.0001\app1\logs\log-06-17-2021-Test.log
D:\Applications\Windows.App.0002\app1\logs\log-06-17-2021-Test.log
D:\Applications\Windows.App.0003\app1\logs\log-06-172021-Test.log
D:\Applications\PBS20.01\app1\logs\log-06-17-2021-Test.log
D:\Applications\PBS20.02\app1\logs\log-06-17-2021-Test.log
D:\Applications\PBS20.03\app1\logs\log-06-17-2021-Test.log
D:\Applications\DDS0\app1\logs\log-06-17-2021-Test.log
D:\Applications\DDS1\app1\logs\log-06-17-2021-Test.log


I tried this but it did not work

source="*Windows.App*log*Test.log" source="*PBS20*log*Test.log" source="*DDS*log*Test.log"
or this:
source="*Windows.App*log*Test.log" or source="*PBS20*log*Test.log" or source="*DDS*log*Test.log"
or this:
source="*(Windows.App|PBS20|DDS)*log*Test.log)"

I can not use the "Applications " keyword since this is a common folder a crosses all applications we are using.

Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The first form won't work because of the implied AND operator between each expression.  The source field cannot have more than one value at a time.

The second form should work, but the OR operator must be in upper-case.

The third form may work, but not as expected.  The search command does not support regular expressions so it will try to find the specified string literally.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The first form won't work because of the implied AND operator between each expression.  The source field cannot have more than one value at a time.

The second form should work, but the OR operator must be in upper-case.

The third form may work, but not as expected.  The search command does not support regular expressions so it will try to find the specified string literally.

---
If this reply helps you, Karma would be appreciated.
0 Karma

iamuser
Engager

Thanks. The upper OR works. The other option I used is by using subquery. similar to this:
source="D:\\Applications*Test.Log" |
where like(source,"%Windows.App%log%Test.log")  or like(source,"%PBS20%log%Test.log")  or like(source,"%DDS%log%Test.log")  |
table source, _raw

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...