Hi, all.
I'd like to know if I've been wasting time over the last few years by using an overly formal grammar for performing Splunk searches.
Let's say I have an extracted field called "color" and I want to search for several colors in my data...red, blue, and black. Here's what my searches look like right now:
color="red" OR color="blue" OR color="black"
Assume that this search works correctly and Splunk returns the data I expect. Even though the search works, I'd like to be able to search using a more compressed query string, something like one of the three examples below:
color=(red,blue,black)
or
color=("red","blue","black")
or even
color=("red" OR "blue" OR "black")
I could really save a lot of typing on those queries when I'm looking for 20 or more colors at a time. Did I overlook a page in the Splunk documentation? If it cannot be done, that's fine too. 🙂
Thanks!
I don't think there's anything in the splunk search language that performs exactly this way.
Some possible approaches:
tag::cool_colors
where color=red colore=blue and color=black had been tagged cool_colors.
I don't think there's anything in the splunk search language that performs exactly this way.
Some possible approaches:
tag::cool_colors
where color=red colore=blue and color=black had been tagged cool_colors.
Thanks, jrodman.
I agree that I'm pretty much asking for something that's just not possible right now. think I'll submit a feature request and see what the Splunk devs say.