Solved: Search for to different subtypes

sympatiko · ‎12-01-2014

Hi,

I want to search for any "virus" event in a two different subtype. Is it possible?

Thanks,

somesoni2 · ‎12-02-2014

You can try like this

(index=A1 sourcetype=S1 type=traffic,subtype=forward) OR (index=A2 sourcetype=S3 type=utm,subtype=virus) | search <<your condition/filter/criteria to find virus>>

Where A1-S1 and A2-S2 are index-sourcetype combination for different subtype

View solution in original post

somesoni2 · ‎12-02-2014

You can try like this

(index=A1 sourcetype=S1 type=traffic,subtype=forward) OR (index=A2 sourcetype=S3 type=utm,subtype=virus) | search <<your condition/filter/criteria to find virus>>

Where A1-S1 and A2-S2 are index-sourcetype combination for different subtype

kml_uvce · ‎12-01-2014

What do you mean by subtype ? is this event type ?

sympatiko · ‎12-02-2014

Yes. That's what I mean.

Ayn · ‎12-02-2014

That depends completely on what eventtypes you have, what your definitions are for "virus events", and a number of other factors. Please provide more details with log samples and fields, and we'll stand a better chance of helping you.

sympatiko · ‎12-02-2014

I want to manage logging from my fortigate firewall. There are two subtypes where fortigate is detecting a virus type of event. First is coming from "type=traffic,subtype=forward" and the other one is from "type=utm,subtype=virus" . I want to search for any virus from those two different subtypes? Is it possible?

Thanks,

Search for to different subtypes

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!