Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Intersect not working properly?

simonattardGO
Path Finder
‎07-12-2012 04:38 AM

Hi all,
I have an intersect search which tries to intersect two search queries with a field. This is the command:

(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.

The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:

(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

It seems that when I search for a number (i.e. 1234), the command is not compiled correctly.

Any advice?

Thanks in advance

Simon

Tags (1)
0 Karma
Reply

kartik13
Communicator
‎03-09-2015 03:56 AM

in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*

0 Karma
Reply

lguinn2
Legend
‎07-15-2012 10:05 PM

I would do this a different way. Here is the simpliest form:

oper "| in |" 1234
| join TransactionID
   [search oper status 
    | format maxresults=10000 ]

This should work for xdsl as well as 1234

If you only want to see the TransactionID in the results, you can add the fields command.

oper "| in |" 1234
| fields TransactionID
| join TransactionID
   [search oper status 
    | fields TransactionID
    | format maxresults=10000 ]

Some additional facts, which you may already know but some readers may not:

Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:

oper
| in |
1234

But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"

The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234

HTH

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...