Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Grouping multiple OR values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi People,
Is there any efficient way of grouping values?
I have like 20 Or statement that I need to match
something like
("x" OR "Y" OR "Z" OR "A" OR "B" OR "C")
Is there any expression like
any of (x,y,z,a,b,c) ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@babakkhorshid,
Try,
field_name IN(x,y,z,a,b,c)
Reference : Multiple field-value comparisons with the IN operator
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@babakkhorshid,
Try,
field_name IN(x,y,z,a,b,c)
Reference : Multiple field-value comparisons with the IN operator
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Renjith
I think this would solve my issue.
But out of interest:
What if the field_Name is not the same.
Like we have Multiple events (like Phrases or words we need to match) in multiple fields?
example: "200" "201" "202" "203" "204" in fields A, B and C
Much appreciate your help and Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@babakkhorshid ,
Thanks. Please accept as answer if it's working for you.
For handling different field name, you may use field alias and use the alias in search as described in https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Addaliasestofields
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
