Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Add multiple device types to search string

fschiavo
New Member
‎08-27-2014 12:21 PM

I want to add cer device type to the following string to search for both. Boolean expression?

index=cisco cdnt* partial service

Tags (1)
0 Karma
Reply
Highlighted

Re: Add multiple device types to search string

kristian_kolb
Ultra Champion
‎08-27-2014 01:51 PM

Yes, with implicit AND between all search terms. Examples;

host=alice host=bob

will return no events. host cannot be both 'alice' and 'bob' at the same time.

(host=alice user=david) OR user=cecilia

will return all events from host 'alice' where user=david, and all events where user=cecilia, regardless of originiating host.

host=sales price!=55

will return all events from the host 'sales', if the events contain the field 'price' and the value is not '55'.

host=sales NOT price=55

will return all events from the host 'sales', that don't contain price=55, even events that do not have 'price' in them at all.

and so on. See more in the docs.

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/Aboutthesearchapp

/K

0 Karma
Reply
Highlighted

Re: Add multiple device types to search string

somesoni2
SplunkTrust
SplunkTrust
‎08-27-2014 01:52 PM

By default all filters (separated by space here) are using AND boolean expression. you can just add your devicetype string (if its not an extracted field) OR devicetype="valuehere" (if its an extracted field).

0 Karma
Reply