Hi I want to get the OR result of field Emp Code in search.I tried below conditions,but none of them worked.
host=datahost where "Emp Code"=FCH OR "Emp Code"=ABChost=datahost "Emp Code"=FCH OR "Emp Code"=ABChost=datahost "Emp Code"=(FCH ABC)
Can you help pls.
Try:
host=datahost Emp_Code=FCH OR Emp_Code=ABC
Thanks this solves my issue
Typically, Splunk will replace the space in your field name with _, so "Emp Code" would be Emp_Code.
The second one is close to reality.
host=myhost myfield=A OR myfield=B myotherfield=C
is equivalent to
host=myhost AND ( myfield=A OR myfield=B ) AND myotherfield=C
If you are confused, add parenthesis.
In principle your second approach is correct... however, I'm a bit doubtful about the field name. Do your field extractions really yield a field named Emp Code?
Emp Code
