Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to use an 'or' argument in my search is this possible?

a123537
New Member
‎09-06-2019 03:07 AM

So I have a search query which returns registrations for a website called CXI. See below:

sourcetype=applog Successfully created account for ROW member CXI

Ideally I want the same query to look for two websites, CXI and VHI

Is this possible? If so, what do I write?

Thanks
Jemma

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2019 03:21 AM

Hi a123537,
did you tried with the following approach?

sourcetype=applog Successfully created account for ROW member (CXI OR VHI)

I suggest to follow the Splunk Search Tutorial ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial ) or other web resources (like https://www.youtube.com/watch?v=xtyH_6iMxwA ) to better learn how to use Splunk and Splunk free eLearning courses like Splunk Fundamentals I ( www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ).

In addition I hint to use always the index= clause because your search will be faster.

Bye.
Giuseppe

0 Karma
Reply

renjith_nair
Legend
‎09-06-2019 03:19 AM

@a123537 ,

Try

sourcetype=applog "Successfully created account for ROW member" ("CXI" OR "VHI")

Reference : Learn Splunk Search Syntax

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

a123537
New Member
‎09-06-2019 04:50 AM

@renjith.nair Yes this works great within the Splunk application, but my API (i'm pulling the query into PowerBI) doesn't like the quotes. I also tried single quotes with no luck.

Do you know how I can use the OR argument within the API?

Thanks!
Jemma

0 Karma
Reply

renjith_nair
Legend
‎09-06-2019 05:51 AM

@a123537 , search API shouldn't be any different . Try escaping the quotes \"

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

a123537
New Member
‎09-06-2019 07:38 AM

@renjith.nair I did try that, but without the quotes it doesn't know the OR is an argument, so it searched for Successfully created account for ROW member cxi or vhi

I think because Splunk uses SPL query language, and Power BI uses M Query, which uses quotes in a different way, it's getting confused and says the quotes are a syntax error.

Perhaps I can't use the OR argument in this particular application and will have to continue with two separate datasets.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...