Solved: How to combine multiple search raw strings in a si...

rkishoreqa · ‎02-05-2021

Hi,

I need to do search with multiple raw strings within a single query. When I search these strings separately, I am able to get the results. But when I combine these it is not giving the results and ending with 'No results found'.

The below three queries are working fine.

sourcetype="States*" *Karnataka*
sourcetype="States*" *Tamil Nadu*
sourcetype="States*" *Mumbai*

When I execute the below query I am getting 'No results found' comment.

sourcetype="States*" *Karnataka* *Tamil Nadu* *Mumbai*

Can anyone through some light on this, thanks in advance.

richgalloway · ‎02-05-2021

SPL inserts an implicit AND between each search term. To search for optional terms, insert an explicit OR.

sourcetype="States*" ("*Karnataka*" OR "*Tamil Nadu*" OR "*Mumbai*")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-05-2021

SPL inserts an implicit AND between each search term. To search for optional terms, insert an explicit OR.

sourcetype="States*" ("*Karnataka*" OR "*Tamil Nadu*" OR "*Mumbai*")

---
If this reply helps you, Karma would be appreciated.

saravanan90 · ‎02-05-2021

Please use "OR" inbetween the searches..

sourcetype="States*" (*Karnataka* OR *Tamil Nadu* OR *Mumbai*)

How to combine multiple search raw strings in a single query

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies