Archive

Does the`search` command has implicit AND between expressions?

Explorer

I always understood the search command's expressions be connected by a logical AND by default:
search customer=123 item=flower will return events that have both customer=123 AND item=flower.

However, I was looking at the Search Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Search
Under Syntax, I see this excerpt:
<logical-expression> [OR] <logical-expression>

This reads to me like [OR] is optional and means the same without [OR] with a space separator, so I interpret it as:
<logical-expression> [OR] <logical-expression> is equivalent to <logical-expression> <logical-expression>

Am I not understanding this syntax in Reference correctly?

0 Karma

Ultra Champion

I think you're indeed misinterpreting that syntax. When no operator is specified, AND is implied. I do agree that this can be a little confusing. You might want to post that as a feedback at the bottom of the docs page, such that the author of that page can perhaps clarify that.

0 Karma