How to use the OR operator?

SplunkBaby · ‎02-10-2014

Hi I want to get the OR result of field Emp Code in search.
I tried below conditions,but none of them worked.

host=datahost where "Emp Code"=FCH OR "Emp Code"=ABC
host=datahost "Emp Code"=FCH OR "Emp Code"=ABC
host=datahost "Emp Code"=(FCH ABC)

Can you help pls.

the_wolverine · ‎02-10-2014

Try:

host=datahost Emp_Code=FCH OR Emp_Code=ABC

SplunkBaby · ‎02-10-2014

Thanks this solves my issue

the_wolverine · ‎02-10-2014

Typically, Splunk will replace the space in your field name with _, so "Emp Code" would be Emp_Code.

yannK · ‎02-10-2014

The second one is close to reality.

host=myhost myfield=A OR myfield=B myotherfield=C

is equivalent to

host=myhost AND ( myfield=A OR myfield=B ) AND myotherfield=C

If you are confused, add parenthesis.

SplunkBaby · ‎02-10-2014

Thanks this solves my issue

martin_mueller · ‎02-10-2014

In principle your second approach is correct... however, I'm a bit doubtful about the field name. Do your field extractions really yield a field named Emp Code?

How to use the OR operator?

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!