Hi
I try Splunk myself after I've join in Splunk beginning Course
and found this strange result. Does it bug or something?
sourcetype = access_combined_wcookie | search status="200"OR"500"
is not same as
sourcetype = access_combined_wcookie | search status="500"OR"200"
Splunk Source is website access.log and status is access status log
why?
![alt text][1]
![alt text][2]
[1]: /storage/temp/122191-ul01.jpg
[2]: /storage/temp/122195-ul02.jpg
↧