https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556189#M157933 <P>What search criteria should I include to only get these logs?</P><P>D:\Applications\Windows.App.0001\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\Windows.App.0002\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\Windows.App.0003\app1\logs\log-06-172021-Test.log<BR />D:\Applications\PBS20.01\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\PBS20.02\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\PBS20.03\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\DDS0\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\DDS1\app1\logs\log-06-17-2021-Test.log</P><P><BR />I tried this but it did not work</P><P>source="*Windows.App*log*Test.log" source="*PBS20*log*Test.log" source="*DDS*log*Test.log"<BR />or this:<BR />source="*Windows.App*log*Test.log" or source="*PBS20*log*Test.log" or source="*DDS*log*Test.log"<BR />or this:<BR />source="*(Windows.App|PBS20|DDS)*log*Test.log)"</P><P>I can not use the "Applications " keyword since this is a common folder a crosses all applications we are using.</P><P>Thanks</P> Thu, 17 Jun 2021 18:43:54 GMT iamuser 2021-06-17T18:43:54Z https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556189#M157933 <P>What search criteria should I include to only get these logs?</P><P>D:\Applications\Windows.App.0001\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\Windows.App.0002\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\Windows.App.0003\app1\logs\log-06-172021-Test.log<BR />D:\Applications\PBS20.01\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\PBS20.02\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\PBS20.03\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\DDS0\app1\logs\log-06-17-2021-Test.log<BR />D:\Applications\DDS1\app1\logs\log-06-17-2021-Test.log</P><P><BR />I tried this but it did not work</P><P>source="*Windows.App*log*Test.log" source="*PBS20*log*Test.log" source="*DDS*log*Test.log"<BR />or this:<BR />source="*Windows.App*log*Test.log" or source="*PBS20*log*Test.log" or source="*DDS*log*Test.log"<BR />or this:<BR />source="*(Windows.App|PBS20|DDS)*log*Test.log)"</P><P>I can not use the "Applications " keyword since this is a common folder a crosses all applications we are using.</P><P>Thanks</P> Thu, 17 Jun 2021 18:43:54 GMT https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556189#M157933 iamuser 2021-06-17T18:43:54Z https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556223#M157940 <P>The first form won't work because of the implied AND operator between each expression.&nbsp; The source field cannot have more than one value at a time.</P><P>The second form should work, but the OR operator must be in upper-case.</P><P>The third form may work, but not as expected.&nbsp; The search command does not support regular expressions so it will try to find the specified string literally.</P> Thu, 17 Jun 2021 18:32:26 GMT https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556223#M157940 richgalloway 2021-06-17T18:32:26Z https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556225#M157942 <P>Thanks. The upper OR works. The other option I used is by using subquery. similar to this:<BR />source="D:\\Applications*Test.Log" |<BR />where like(source,<SPAN>"%Windows.App%log%Test.log"</SPAN>)&nbsp; or&nbsp;like(source,<SPAN>"%PBS20%log%Test.log"</SPAN>)&nbsp; or&nbsp;like(source,<SPAN>"%DDS%log%Test.log"</SPAN>)&nbsp; |<BR />table source, _raw</P> Thu, 17 Jun 2021 18:43:07 GMT https://community.splunk.com/t5/Splunk-Search/how-to-make-a-search-for-two-or-more-source-file-with-wildcard/m-p/556225#M157942 iamuser 2021-06-17T18:43:07Z