Solved: Grouping multiple OR values

babakkhorshid · ‎09-02-2019

Hi People,
Is there any efficient way of grouping values?
I have like 20 Or statement that I need to match
something like
("x" OR "Y" OR "Z" OR "A" OR "B" OR "C")

Is there any expression like
any of (x,y,z,a,b,c) ?

renjith_nair · ‎09-02-2019

@babakkhorshid,

Try,

field_name IN(x,y,z,a,b,c)

Reference : Multiple field-value comparisons with the IN operator

Happy Splunking!

View solution in original post

renjith_nair · ‎09-02-2019

@babakkhorshid,

Try,

field_name IN(x,y,z,a,b,c)

Reference : Multiple field-value comparisons with the IN operator

Happy Splunking!

babakkhorshid · ‎09-02-2019

Thanks Renjith

I think this would solve my issue.

But out of interest:
What if the field_Name is not the same.

Like we have Multiple events (like Phrases or words we need to match) in multiple fields?

example: "200" "201" "202" "203" "204" in fields A, B and C

Much appreciate your help and Thanks

renjith_nair · ‎09-03-2019

@babakkhorshid ,
Thanks. Please accept as answer if it's working for you.

For handling different field name, you may use field alias and use the alias in search as described in https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Addaliasestofields

Happy Splunking!

Grouping multiple OR values

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!