https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469111#M192013 <P>Hi, <BR /> If you know the pattern of these data, you can use a wildcard.<BR /> For example, if all the results that you are looking for starts with "ABCD" you can use the following search:</P> <P>index=test_data sourcetype=test_source_data protocolName=ABCD*</P> <P>Thanks,</P> Wed, 30 Sep 2020 02:44:58 GMT danielcj 2020-09-30T02:44:58Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469109#M192011 <P>how can i do this search in better way:</P> <P>index=test_data sourcetype=test_source_data protocolName="ABCDE4C72260F082" OR "ABCDE4C72260EFB9" OR "ABCD881DFC610A55" OR "ABCD7426ACF35BAB" OR "ABCDE4C72260F2C5" OR "ABCD006CBCB9D1E3" OR "ABCD881DFC610A4C" OR "ABCDE4C7226C5BEA" OR "ABCDD867D97AA69C" OR "ABCD881DFC610A0B" OR "ABCDCC8E7169722A" OR "ABCDE4C7226C5C94" OR "ABCDB4DE312BA73C" OR "ABCD78725D631F67" OR "ABCD006CBCB9E1F4" OR "ABCD706E6D2C8D9A" OR "ABCDCC8E7168B664" OR "ABCD881DFC610A34" OR "ABCDE4C72260F3B9" OR "ABCD006CBCB9D2E9" OR "ABCDE4C7226BF60C" OR "ABCD00FEC8607BD3" OR "ABCD00CCFC615EED" OR "ABCD00778D904BD0" OR "ABCD00778D904B16" OR "ABCD00778D904BEE" OR "ABCD00778D90688A" OR "ABCD00778D906724" OR "ABCD6C8BD3FF7165" OR "ABCD7426ACF35BAE" OR "ABCD1C6A7AE08E4C" OR "ABCD881DFC610A50" OR "ABCD042AE2C7E309" OR "ABCDE4C7226C5BEF" OR "ABCDE4C7226C5CC9" OR "ABCD006CBCB9E1FF" OR "ABCDE4C7226C5BB0" OR "ABCD5C838F5E6F26" OR "ABCD006CBCB9E1FB" OR "ABCD006CBCB9D259" OR "ABCD7426ACF35BED" OR "ABCD002790FF6F41" OR "ABCD0027900DFEED" OR "ABCDCC8E7169D5FD" OR "ABCD002790FF25EA" OR "ABCDCC8E7169D6CB" OR "ABCDCC8E71697252" OR "ABCDCC8E716973A7" OR "ABCDCC8E7169D638" OR "ABCDCC8E716972C6" OR "ABCD247E12F13391" OR "ABCDD867D973C0D4" OR "ABCDB4DE312C0E09" OR "ABCDB4DE312BCBE3" OR "ABCDCC8E71682B3C" OR "ABCDB4DE312BCBE9" OR "ABCDB4DE312BCB89" OR "ABCDCC8E7168B47A" OR "ABCD64F69D6F1F04" OR "ABCDB4DE312BDA40" OR "ABCDD867D9722B78" OR "ABCDD867D9722B56" OR "ABCDD867D9722F13" OR "ABCDE4C72260F81A" OR "ABCDE4C72263C351" OR "ABCD00AF1FF1178E" OR "ABCD5C838F5E576A" OR "ABCD00AF1FF1178C" OR "ABCD00AF1FF11766" OR "ABCDD867D972890E" OR "ABCD64F69D66AA2E" OR "ABCDF07F0629BBD9" OR "ABCDC471FEE662DC" OR "ABCD00CAE53D8258" OR "ABCD00A5BFC59B70" OR "ABCDA89D21482882" OR "ABCDE4C7226B5E88" OR "ABCD7426ACF35BC2" OR "ABCD7426ACF35BEC" OR "ABCD64F69D66AA10" OR "ABCDE4C7226148B1" OR "ABCDE4C7226AD28D" OR "ABCD64F69D66AA22" OR "ABCDE4C722614643" OR "ABCD1C6A7AE071F2" OR "ABCDD867D9722561" OR "ABCD64F69D6F1956" OR "ABCD046273E51767" OR "ABCDD867D9724F24" OR "ABCD7426ACF35BDB" OR "ABCDD867D9725951" </P> Wed, 30 Sep 2020 02:44:52 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469109#M192011 shtom 2020-09-30T02:44:52Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469110#M192012 <P>Hi,</P> <P>Create a lookup with these values.<BR /> Create a sub-search on the lookup and use the output of sub-search as input to the main query.</P> <PRE><CODE>index=test_data sourcetype=test_source_data [| inputlookup protocolnames.csv | table protocolName] </CODE></PRE> <P>Accept and upvote the answer if it helps.</P> <P>happy splunking.......!!!!!!!!!</P> Thu, 24 Oct 2019 13:10:58 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469110#M192012 gaurav_maniar 2019-10-24T13:10:58Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469111#M192013 <P>Hi, <BR /> If you know the pattern of these data, you can use a wildcard.<BR /> For example, if all the results that you are looking for starts with "ABCD" you can use the following search:</P> <P>index=test_data sourcetype=test_source_data protocolName=ABCD*</P> <P>Thanks,</P> Wed, 30 Sep 2020 02:44:58 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-question/m-p/469111#M192013 danielcj 2020-09-30T02:44:58Z