Splunk Search

I want to use an 'or' argument in my search is this possible?

a123537
New Member

So I have a search query which returns registrations for a website called CXI. See below:

sourcetype=applog Successfully created account for ROW member CXI

Ideally I want the same query to look for two websites, CXI and VHI

Is this possible? If so, what do I write?

Thanks
Jemma

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi a123537,
did you tried with the following approach?

sourcetype=applog Successfully created account for ROW member (CXI OR VHI)

I suggest to follow the Splunk Search Tutorial ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial ) or other web resources (like https://www.youtube.com/watch?v=xtyH_6iMxwA ) to better learn how to use Splunk and Splunk free eLearning courses like Splunk Fundamentals I ( www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ).

In addition I hint to use always the index= clause because your search will be faster.

Bye.
Giuseppe

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@a123537 ,

Try

sourcetype=applog "Successfully created account for ROW member" ("CXI" OR "VHI")

Reference : Learn Splunk Search Syntax

Happy Splunking!
0 Karma

a123537
New Member

@renjith.nair Yes this works great within the Splunk application, but my API (i'm pulling the query into PowerBI) doesn't like the quotes. I also tried single quotes with no luck.

Do you know how I can use the OR argument within the API?

Thanks!
Jemma

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@a123537 , search API shouldn't be any different . Try escaping the quotes \"

Happy Splunking!
0 Karma

a123537
New Member

@renjith.nair I did try that, but without the quotes it doesn't know the OR is an argument, so it searched for Successfully created account for ROW member cxi or vhi

I think because Splunk uses SPL query language, and Power BI uses M Query, which uses quotes in a different way, it's getting confused and says the quotes are a syntax error.

Perhaps I can't use the OR argument in this particular application and will have to continue with two separate datasets.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...