Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to use an 'or' argument in my search is this possible?

a123537
New Member
‎09-06-2019 03:07 AM

So I have a search query which returns registrations for a website called CXI. See below:

sourcetype=applog Successfully created account for ROW member CXI

Ideally I want the same query to look for two websites, CXI and VHI

Is this possible? If so, what do I write?

Thanks
Jemma

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2019 03:21 AM

Hi a123537,
did you tried with the following approach?

sourcetype=applog Successfully created account for ROW member (CXI OR VHI)

I suggest to follow the Splunk Search Tutorial ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial ) or other web resources (like https://www.youtube.com/watch?v=xtyH_6iMxwA ) to better learn how to use Splunk and Splunk free eLearning courses like Splunk Fundamentals I ( www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ).

In addition I hint to use always the index= clause because your search will be faster.

Bye.
Giuseppe

0 Karma
Reply

renjith_nair
Legend
‎09-06-2019 03:19 AM

@a123537 ,

Try

sourcetype=applog "Successfully created account for ROW member" ("CXI" OR "VHI")

Reference : Learn Splunk Search Syntax

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

a123537
New Member
‎09-06-2019 04:50 AM

@renjith.nair Yes this works great within the Splunk application, but my API (i'm pulling the query into PowerBI) doesn't like the quotes. I also tried single quotes with no luck.

Do you know how I can use the OR argument within the API?

Thanks!
Jemma

0 Karma
Reply

renjith_nair
Legend
‎09-06-2019 05:51 AM

@a123537 , search API shouldn't be any different . Try escaping the quotes \"

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

a123537
New Member
‎09-06-2019 07:38 AM

@renjith.nair I did try that, but without the quotes it doesn't know the OR is an argument, so it searched for Successfully created account for ROW member cxi or vhi

I think because Splunk uses SPL query language, and Power BI uses M Query, which uses quotes in a different way, it's getting confused and says the quotes are a syntax error.

Perhaps I can't use the OR argument in this particular application and will have to continue with two separate datasets.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...