Hi All,
I try to create a saved search to fit into the following logic. How can I combine multiple criteria into one single Splunk search? Thanks.
sourcetype=xyz
c_application starts with Mozilla AND
(
(file_name starts with "mabcd" AND
url matches "http://[a-z]{4\,8}-[a-z]{1\,7}\.net/[a-z]{4\,8}\.php$"
) OR
( path ends with "==" AND
url matches "http://[a-z]{14\,21}\.net/[a-z]{4\,8}\.php$"
) OR
url matches "[a-z]{4,10}/[a-z_-]{139,157}.(php|html)"
)
Try like this
**Its good to add index as well for faster searching, if possible.
index=yourindex sourcetype=xyz c_application=Mozilla* | where (like(file_name,"mabcd%") AND match(url,"http:\/\/[a-z]{4,8}-[a-z]{1,7}\.net\/[a-z]{4,8}\.php$" ) OR ( like(path,"%==") AND match(url, "http:\/\/[a-z]{14,21}\.net\/[a-z]{4,8}\.php$") ) OR (match(url, "[a-z]{4,10}\/[a-z_-]{139,157}.(php|html)$"))
Try like this
**Its good to add index as well for faster searching, if possible.
index=yourindex sourcetype=xyz c_application=Mozilla* | where (like(file_name,"mabcd%") AND match(url,"http:\/\/[a-z]{4,8}-[a-z]{1,7}\.net\/[a-z]{4,8}\.php$" ) OR ( like(path,"%==") AND match(url, "http:\/\/[a-z]{14,21}\.net\/[a-z]{4,8}\.php$") ) OR (match(url, "[a-z]{4,10}\/[a-z_-]{139,157}.(php|html)$"))