Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to use an 'or' argument in my search is this possible?

a123537
New Member
‎09-06-2019 03:07 AM

So I have a search query which returns registrations for a website called CXI. See below:

sourcetype=applog Successfully created account for ROW member CXI

Ideally I want the same query to look for two websites, CXI and VHI

Is this possible? If so, what do I write?

Thanks
Jemma

Tags (1)
0 Karma
Reply

gcusello
Esteemed Legend
‎09-06-2019 03:21 AM

Hi a123537,
did you tried with the following approach?

sourcetype=applog Successfully created account for ROW member (CXI OR VHI)

I suggest to follow the Splunk Search Tutorial ( https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial ) or other web resources (like https://www.youtube.com/watch?v=xtyH_6iMxwA ) to better learn how to use Splunk and Splunk free eLearning courses like Splunk Fundamentals I ( www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html ).

In addition I hint to use always the index= clause because your search will be faster.

Bye.
Giuseppe

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎09-06-2019 03:19 AM

@a123537 ,

Try

sourcetype=applog "Successfully created account for ROW member" ("CXI" OR "VHI")

Reference : Learn Splunk Search Syntax

Happy Splunking!
0 Karma
Reply

a123537
New Member
‎09-06-2019 04:50 AM

@renjith.nair Yes this works great within the Splunk application, but my API (i'm pulling the query into PowerBI) doesn't like the quotes. I also tried single quotes with no luck.

Do you know how I can use the OR argument within the API?

Thanks!
Jemma

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎09-06-2019 05:51 AM

@a123537 , search API shouldn't be any different . Try escaping the quotes \"

Happy Splunking!
0 Karma
Reply

a123537
New Member
‎09-06-2019 07:38 AM

@renjith.nair I did try that, but without the quotes it doesn't know the OR is an argument, so it searched for Successfully created account for ROW member cxi or vhi

I think because Splunk uses SPL query language, and Power BI uses M Query, which uses quotes in a different way, it's getting confused and says the quotes are a syntax error.

Perhaps I can't use the OR argument in this particular application and will have to continue with two separate datasets.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...