Combine searches into 1 search

gnovak · ‎11-09-2010

Hello,

I have 3 saved searches that are pretty much all the same except for the source. the searches are:

sourcetype="cron_BalanceEmail" source="asia" starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

sourcetype="cron_BalanceEmail" source="info" starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

sourcetype="cron_BalanceEmail" source="org" starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

As you can see all are the same except for the source. I tried altering the search to say maybe source=asia AND info AND org but I must not be getting it right. anyone have any ideas? It's probably right in front of my face but I just can't see it.

gnovak · ‎11-09-2010

That worked. Doh! I guess i should have used OR instead of AND...thanks

chris · ‎11-09-2010

I'm glad that your query works now. Happy splunking 🙂

chris · ‎11-09-2010

Try this:

sourcetype="cron_BalanceEmail" (source="asia" OR source="info" OR source="org") starthoursago="1" BalanceEmail sent | rex field=_raw "[BalanceEmail](?[\d]+) of (?[\d]+) of email notification sent." | where TotalEmailsSent < TotalEmailsToSend

I hope this works for you if not let me know.

Chris

Combine searches into 1 search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor