Splunk Search

Intersect not working properly?

simonattardGO
Path Finder

Hi all,
I have an intersect search which tries to intersect two search queries with a field. This is the command:

(OPER "| IN |" xDSL) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" xDSL) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

What this command does is it intersects and displays the logs which contain OPER IN xDSL and OPER STATUS with the transactionID.

The problem occurs when I want to intersect and display logs which contain OPER IN 1234 and OPER STATUS with the transactionID. Eg:

(OPER "| IN |" 1234) OR (OPER STATUS) [| set intersect [search (OPER "| IN |" 1234) | fields TransactionID | fields - _*] [search (OPER STATUS) | fields TransactionID | fields - _*] ]

It seems that when I search for a number (i.e. 1234), the command is not compiled correctly.

Any advice?

Thanks in advance

Simon

Tags (1)
0 Karma

kartik13
Communicator

in intersect , it will include the internal as well as raw fields and will match it , it will not match the single field , so for that u have to exclude the internal fields by |fields host|fields - _*

0 Karma

lguinn2
Legend

I would do this a different way. Here is the simpliest form:

oper "| in |" 1234
| join TransactionID
   [search oper status 
    | format maxresults=10000 ]

This should work for xdsl as well as 1234

If you only want to see the TransactionID in the results, you can add the fields command.

oper "| in |" 1234
| fields TransactionID
| join TransactionID
   [search oper status 
    | fields TransactionID
    | format maxresults=10000 ]

Some additional facts, which you may already know but some readers may not:

Splunk searches are case-insensitive, so it doesn't matter if you enter oper or OPER.This search is looking for events that have all three of the following tokens, in any order or position, without regard to case:

oper
| in |
1234

But Splunk search is based on keywords - so you will find events with the term "oper" but not "operator"

The search is looking for the vertical bars as well, so it isn't just looking for OPER IN 1234

HTH

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...