So I have a search query which returns registrations for a website called CXI. See below:
sourcetype=applog Successfully created account for ROW member CXI
Ideally I want the same query to look for two websites, CXI and VHI
Is this possible? If so, what do I write?
Thanks
Jemma
Hi a123537,
did you tried with the following approach?
sourcetype=applog Successfully created account for ROW member (CXI OR VHI)
I suggest to follow the Splunk Search Tutorial ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial ) or other web resources (like https://www.youtube.com/watch?v=xtyH_6iMxwA ) to better learn how to use Splunk and Splunk free eLearning courses like Splunk Fundamentals I ( www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ).
In addition I hint to use always the index= clause because your search will be faster.
Bye.
Giuseppe
@a123537 ,
Try
sourcetype=applog "Successfully created account for ROW member" ("CXI" OR "VHI")
Reference : Learn Splunk Search Syntax
@renjith.nair Yes this works great within the Splunk application, but my API (i'm pulling the query into PowerBI) doesn't like the quotes. I also tried single quotes with no luck.
Do you know how I can use the OR argument within the API?
Thanks!
Jemma
@a123537 , search API shouldn't be any different . Try escaping the quotes \"
@renjith.nair I did try that, but without the quotes it doesn't know the OR is an argument, so it searched for Successfully created account for ROW member cxi or vhi
I think because Splunk uses SPL query language, and Power BI uses M Query, which uses quotes in a different way, it's getting confused and says the quotes are a syntax error.
Perhaps I can't use the OR argument in this particular application and will have to continue with two separate datasets.