Security

OR operator

SplunkBaby
Explorer

Hi I want to get the OR result of field Emp Code in search.
I tried below conditions,but none of them worked.

host=datahost where "Emp Code"=FCH OR "Emp Code"=ABC
host=datahost "Emp Code"=FCH OR "Emp Code"=ABC
host=datahost "Emp Code"=(FCH ABC)

Can you help pls.

the_wolverine
Champion

Try:

host=datahost Emp_Code=FCH OR Emp_Code=ABC

SplunkBaby
Explorer

Thanks this solves my issue

0 Karma

the_wolverine
Champion

Typically, Splunk will replace the space in your field name with _, so "Emp Code" would be Emp_Code.

yannK
Splunk Employee
Splunk Employee

The second one is close to reality.

host=myhost myfield=A OR myfield=B myotherfield=C

is equivalent to

host=myhost AND ( myfield=A OR myfield=B ) AND myotherfield=C

If you are confused, add parenthesis.

SplunkBaby
Explorer

Thanks this solves my issue

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In principle your second approach is correct... however, I'm a bit doubtful about the field name. Do your field extractions really yield a field named Emp Code?

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...