https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400711#M71357 <P>Can you share a sample (sanitized) event, please?</P> Wed, 26 Sep 2018 15:48:20 GMT richgalloway 2018-09-26T15:48:20Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400710#M71356 <P>We ended up with an operation index that has two hosts per event, let's say <CODE>aaa</CODE> and <CODE>bbb</CODE>.<BR /> Searching for <CODE>index=shortland host=aaa</CODE> brings results but <CODE>index=shortland host=bbb</CODE> does not.</P> <P>What can it be?</P> Wed, 26 Sep 2018 15:19:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400710#M71356 ddrillic 2018-09-26T15:19:15Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400711#M71357 <P>Can you share a sample (sanitized) event, please?</P> Wed, 26 Sep 2018 15:48:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400711#M71357 richgalloway 2018-09-26T15:48:20Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400712#M71358 <P>Hi @ddrillic </P> <P>H can achieve with <STRONG>OR</STRONG> ,<STRONG>IN</STRONG><BR /> EG:- <CODE>host=aaa or host=bbb</CODE></P> <PRE><CODE>host in ("aaa","bbb") </CODE></PRE> <P>If my answer helped please accept answer or up vote</P> Wed, 26 Sep 2018 16:40:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400712#M71358 harishalipaka 2018-09-26T16:40:59Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400713#M71359 <P>No worries - speaking with the sales engineer who explained that one <CODE>host</CODE> value was indexed at index time and another one was <EM>discovered</EM> at search time. Apparently, only the index time value is searchable when searching against the <CODE>host</CODE> field. </P> Wed, 26 Sep 2018 17:01:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400713#M71359 ddrillic 2018-09-26T17:01:08Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400714#M71360 <P>Thank you @harishalipaka.</P> Wed, 26 Sep 2018 17:01:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400714#M71360 ddrillic 2018-09-26T17:01:32Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400715#M71361 <P>For the record, a similar case at <A href="https://answers.splunk.com/answers/737894/how-to-handle-search-query-when-json-data-has-host.html?minQuestionBodyLength=80">How to handle search query when json data has host field?</A></P> Sat, 06 Apr 2019 21:47:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400715#M71361 ddrillic 2019-04-06T21:47:57Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400716#M71362 <P>If that search does not work, then your <CODE>host</CODE> field does really have both values. We will never get to the bottom of this unless you post an event. and your props.conf settings.</P> Sun, 07 Apr 2019 01:49:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-search-for-the-field-host-with-multiple-values/m-p/400716#M71362 woodcock 2019-04-07T01:49:32Z