topic Re: How to combine multiple search raw strings in a single query in Splunk Search

How to combine multiple search raw strings in a single query

rkishoreqa — Fri, 05 Feb 2021 15:12:02 GMT

Hi,

I need to do search with multiple raw strings within a single query. When I search these strings separately, I am able to get the results. But when I combine these it is not giving the results and ending with 'No results found'.

The below three queries are working fine.

sourcetype="States*" *Karnataka*
sourcetype="States*" *Tamil Nadu*
sourcetype="States*" *Mumbai*

When I execute the below query I am getting 'No results found' comment.

sourcetype="States*" *Karnataka* *Tamil Nadu* *Mumbai*

Can anyone through some light on this, thanks in advance.

Re: How to combine multiple search raw strings in a single query

saravanan90 — Fri, 05 Feb 2021 15:13:29 GMT

Please use "OR" inbetween the searches..

sourcetype="States*" (*Karnataka* OR *Tamil Nadu* OR *Mumbai*)

Re: How to combine multiple search raw strings in a single query

richgalloway — Fri, 05 Feb 2021 15:17:12 GMT

SPL inserts an implicit AND between each search term. To search for optional terms, insert an explicit OR.

sourcetype="States*" ("*Karnataka*" OR "*Tamil Nadu*" OR "*Mumbai*")