Solved: where command with multiple sourcetypes

msarro · ‎08-25-2011

Greetings.
I am using multiple sourcetypes in a query that I am working with. If you open a search using something like this

sourcetype=SOURCE1 OR sourcetype=SOURCE2 OR sourcetype=SOURCE3

Playing around, if I try to filter anything with SOURCE1's events, all of the events from SOURCE2 and SOURCE3 get eliminated as well. For example (where AS_AS_Call_Type is an event field found only in SOURCE1):

sourcetype=SOURCE1 or sourcetype=SOURCE2 OR sourcetype=SOURCE3 AS_AS_Call_Type=network

Only events of SOURCE1 get returned. What I want is to keep all of the events from SOURCE2 and SOURCE3, along with the filtered events of SOURCE1.

How can I do this?

sophy · ‎08-25-2011

Hi!

Perhaps what you're trying to do is:

(sourcetype=SOURCE1 AS_AS_Call_Type=network) OR sourcetype=SOURCE2 OR sourcetype=SOURCE3

This will match events with "sourcetype=SOURCE1 AND AS_AS_Call_Type=network", as well as the other two sourcetypes.

Does that make sense?

View solution in original post

sophy · ‎08-25-2011

Hi!

Perhaps what you're trying to do is:

(sourcetype=SOURCE1 AS_AS_Call_Type=network) OR sourcetype=SOURCE2 OR sourcetype=SOURCE3

This will match events with "sourcetype=SOURCE1 AND AS_AS_Call_Type=network", as well as the other two sourcetypes.

Does that make sense?

msarro · ‎08-25-2011

Makes sense! The only command that seems not to be working is isnotnull(field) but I can do without that for now. Thank you!

where command with multiple sourcetypes

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases