Add multiple device types to search string

fschiavo · ‎08-27-2014

I want to add cer device type to the following string to search for both. Boolean expression?

index=cisco cdnt* partial service

somesoni2 · ‎08-27-2014

By default all filters (separated by space here) are using AND boolean expression. you can just add your devicetype string (if its not an extracted field) OR devicetype="valuehere" (if its an extracted field).

kristian_kolb · ‎08-27-2014

Yes, with implicit AND between all search terms. Examples;

host=alice host=bob

will return no events. host cannot be both 'alice' and 'bob' at the same time.

(host=alice user=david) OR user=cecilia

will return all events from host 'alice' where user=david, and all events where user=cecilia, regardless of originiating host.

host=sales price!=55

will return all events from the host 'sales', if the events contain the field 'price' and the value is not '55'.

host=sales NOT price=55

will return all events from the host 'sales', that don't contain price=55, even events that do not have 'price' in them at all.

and so on. See more in the docs.

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/Aboutthesearchapp

/K

Add multiple device types to search string

This Week's Community Digest - Splunk Community Happenings [9.26.22]

BSides Splunk 2022 - The Call for Papers is now Open!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector