Security

OR operator

Explorer

Hi I want to get the OR result of field Emp Code in search.
I tried below conditions,but none of them worked.

host=datahost where "Emp Code"=FCH OR "Emp Code"=ABC
host=datahost "Emp Code"=FCH OR "Emp Code"=ABC
host=datahost "Emp Code"=(FCH ABC)

Can you help pls.

0 Karma

Champion

Try:

host=datahost Emp_Code=FCH OR Emp_Code=ABC

Explorer

Thanks this solves my issue

0 Karma

Champion

Typically, Splunk will replace the space in your field name with , so "Emp Code" would be EmpCode.

Splunk Employee
Splunk Employee

The second one is close to reality.

host=myhost myfield=A OR myfield=B myotherfield=C

is equivalent to

host=myhost AND ( myfield=A OR myfield=B ) AND myotherfield=C

If you are confused, add parenthesis.

Explorer

Thanks this solves my issue

0 Karma

SplunkTrust
SplunkTrust

In principle your second approach is correct... however, I'm a bit doubtful about the field name. Do your field extractions really yield a field named Emp Code?