Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to use an 'or' argument in my search is this possible?

a123537
New Member
‎09-06-2019 03:07 AM

So I have a search query which returns registrations for a website called CXI. See below:

sourcetype=applog Successfully created account for ROW member CXI

Ideally I want the same query to look for two websites, CXI and VHI

Is this possible? If so, what do I write?

Thanks
Jemma

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2019 03:21 AM

Hi a123537,
did you tried with the following approach?

sourcetype=applog Successfully created account for ROW member (CXI OR VHI)

I suggest to follow the Splunk Search Tutorial ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial ) or other web resources (like https://www.youtube.com/watch?v=xtyH_6iMxwA ) to better learn how to use Splunk and Splunk free eLearning courses like Splunk Fundamentals I ( www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ).

In addition I hint to use always the index= clause because your search will be faster.

Bye.
Giuseppe

0 Karma
Reply

renjith_nair
Legend
‎09-06-2019 03:19 AM

@a123537 ,

Try

sourcetype=applog "Successfully created account for ROW member" ("CXI" OR "VHI")

Reference : Learn Splunk Search Syntax

Happy Splunking!
0 Karma
Reply

a123537
New Member
‎09-06-2019 04:50 AM

@renjith.nair Yes this works great within the Splunk application, but my API (i'm pulling the query into PowerBI) doesn't like the quotes. I also tried single quotes with no luck.

Do you know how I can use the OR argument within the API?

Thanks!
Jemma

0 Karma
Reply

renjith_nair
Legend
‎09-06-2019 05:51 AM

@a123537 , search API shouldn't be any different . Try escaping the quotes \"

Happy Splunking!
0 Karma
Reply

a123537
New Member
‎09-06-2019 07:38 AM

@renjith.nair I did try that, but without the quotes it doesn't know the OR is an argument, so it searched for Successfully created account for ROW member cxi or vhi

I think because Splunk uses SPL query language, and Power BI uses M Query, which uses quotes in a different way, it's getting confused and says the quotes are a syntax error.

Perhaps I can't use the OR argument in this particular application and will have to continue with two separate datasets.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...