hello i have a problem with splunk results. in some of the RAW logs i have a field called as "ref" and in some logs i dont have that field. i want splunk to display the results even when a a particular field is missing.

for example:

query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url | sort -10count

i get 246 results

and if i include the word ref in my search only 1 result comes out. i need to find a way for splunk to show me 246 results even if ref field is not included in the 245 RAW logs.

is their a "AND" 'OR" function we can use in our search which can solve this issue.

query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url ref | sort -10count

if i include ref my result comes out to be only 1.

example of RAW logs

with ref field :

log_id=0211008192 type=virus subtype=infected pri=warning vd=root msg="File is infected." status=passthrough service=mm1 src=1.1.1.1 dst=2.2.2.2 sport=2560 src_port=2560 dport=5120 dst_port=5120 src_int=lo dst_int=dummy0 policyid=12345 identidx=67890 serial=312 dir=rx file=file_name checksum=N/A quarskip="No skip" virus=virus dtype=cat ref=fortinet/ve?vid=1 url=N/A carrier_ep="carrier endpoint" profile=N/A profiletype=N/A profilegroup=N/A user=user group=group agent=N/A from=N/A to=N/A

example without ref : log_id=0212008452 type=virus subtype=filename pri=warning vd=root msg="Command blocked." status=blocked service=ftp src=172.17.100.230 dst=172.19.125.98 sport=2620 src_port=2620 dport=21 dst_port=21 src_int=lan4 dst_int=wan1 policyid=2044 identidx=0 serial=218566 url=N/A user=N/A group=N/A command=REST