https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143977#M4410 <P>Hi I want to get the OR result of field Emp Code in search.<BR />I tried below conditions,but none of them worked.</P> <P>host=datahost where "Emp Code"=FCH OR "Emp Code"=ABC<BR />host=datahost "Emp Code"=FCH OR "Emp Code"=ABC<BR />host=datahost "Emp Code"=(FCH ABC)</P> <P>Can you help pls.</P> Tue, 15 Aug 2023 19:33:15 GMT SplunkBaby 2023-08-15T19:33:15Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143977#M4410 <P>Hi I want to get the OR result of field Emp Code in search.<BR />I tried below conditions,but none of them worked.</P> <P>host=datahost where "Emp Code"=FCH OR "Emp Code"=ABC<BR />host=datahost "Emp Code"=FCH OR "Emp Code"=ABC<BR />host=datahost "Emp Code"=(FCH ABC)</P> <P>Can you help pls.</P> Tue, 15 Aug 2023 19:33:15 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143977#M4410 SplunkBaby 2023-08-15T19:33:15Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143978#M4411 <P>In principle your second approach is correct... however, I'm a bit doubtful about the field name. Do your field extractions really yield a field named <CODE>Emp Code</CODE>?</P> Mon, 10 Feb 2014 17:39:04 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143978#M4411 martin_mueller 2014-02-10T17:39:04Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143979#M4412 <P>The second one is close to reality.</P> <P><CODE>host=myhost myfield=A OR myfield=B myotherfield=C</CODE></P> <P>is equivalent to </P> <P><CODE>host=myhost AND ( myfield=A OR myfield=B ) AND myotherfield=C</CODE></P> <P>If you are confused, add parenthesis.</P> Tue, 11 Feb 2014 00:00:48 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143979#M4412 yannK 2014-02-11T00:00:48Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143980#M4413 <P>Typically, Splunk will replace the space in your field name with _, so "Emp Code" would be Emp_Code.</P> Mon, 28 Sep 2020 15:51:26 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143980#M4413 the_wolverine 2020-09-28T15:51:26Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143981#M4414 <P>Try:</P> <PRE><CODE>host=datahost Emp_Code=FCH OR Emp_Code=ABC </CODE></PRE> Tue, 11 Feb 2014 00:31:11 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143981#M4414 the_wolverine 2014-02-11T00:31:11Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143982#M4415 <P>Thanks this solves my issue</P> Tue, 11 Feb 2014 07:59:01 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143982#M4415 SplunkBaby 2014-02-11T07:59:01Z https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143983#M4416 <P>Thanks this solves my issue</P> Tue, 11 Feb 2014 07:59:11 GMT https://community.splunk.com/t5/Security/How-to-use-the-OR-operator/m-p/143983#M4416 SplunkBaby 2014-02-11T07:59:11Z