Ex:
sourcetype=abcd [search sourcetype=xyz field1=200 | table field2,field3,field4] which will be literally
sourcetype=abcd [search field2="returned value" AND field3="returned value" AND field4="returned value" ]
Is it possible to run
sourcetype=abcd [search field2="returned value" OR field3="returned value" OR field4="returned value"]
given that the field name conventions are same in both the sourcetypes.
You can fully control the logic of a subsearch by appending on to the end of it the format
command:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
In your case, though, just do this:
sourcetype=abcd [search sourcetype=xyz field1=200 | stats count by field2,field3,field4 | fields - count]
BY default, everything IN a row gets merged with an AND
and then everything ACROSS rows gets merged with an OR
. Your original search was all one row, thus it got AND
; my search is 3 rows, thus it gets OR
.
You can fully control the logic of a subsearch by appending on to the end of it the format
command:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults
In your case, though, just do this:
sourcetype=abcd [search sourcetype=xyz field1=200 | stats count by field2,field3,field4 | fields - count]
BY default, everything IN a row gets merged with an AND
and then everything ACROSS rows gets merged with an OR
. Your original search was all one row, thus it got AND
; my search is 3 rows, thus it gets OR
.
Hey@Uday_Gonti,
You can try running this:
sourcetype=abcd field2="abc" OR field3="xyz" OR field4="vbg"
Let me know if this helps!!