- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Stringing together searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have searches for two files that are related but the incoming and outgoing file names differ, basically it's an incoming order from a buyer and then the outgoing message to the supplier;
incoming_filename | transaction source host
outgoing_filename | transaction source host
Both of these give the required search results when run separately.
Now I want to be able to put both searches in and display the results, basically join the search for the incoming and outgoing files so I can see when they came in and went out in their separate logs.
I can get APPEND to partially work so I think that might be the right path, eg this returns the results for incoming_filename but it doesn't show anything for the outgoing_filename search after the APPEND;
incoming_filename | transaction source host APPEND [search outgoing_filename | transaction source host]
This might be obvious, but I haven't found a way as I'm new to Splunk and not sure if I am on the right track or should be using some other operator (I also tried OR and JOIN with no luck).
Cheers,
Mark
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you should be able to accomplish what you want simply by having an initial OR clause in your search:
incoming_filename OR outgoing_filename | transaction source host
You mentioned that you've tried OR without success - can you elaborate on what you tried and why it didn't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you should be able to accomplish what you want simply by having an initial OR clause in your search:
incoming_filename OR outgoing_filename | transaction source host
You mentioned that you've tried OR without success - can you elaborate on what you tried and why it didn't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep that was it!
I thought I had to run search1 and then search2 and join them, I didn't even think of doing the OR based on the unique search string (ie the filename). In hindsight that's pretty obvious.
I had tried;
PO_15485669.135 | transaction source host OR PO20120526_6839471.EDI | transaction source host
Thanks for that.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
