Is there a better way to write OR statements in a ...

daniel333 · ‎02-27-2016

Is there a better way to do an OR in Splunk?

Example:

api_domain="purchase" OR api_domain="user" OR api_domain="testX"

I assume there is something like api_domain="x" OR "y" OR "z" but but doesn't seem to fly.

woodcock · ‎02-28-2016

Also, if you are after the base search (post-pipe) and don't care about doing this work non-map-reduced (only at the search head), you can do things like this:

... | regex api_domain="^(purchase|user|testX)$"
... | where match(api_domain, "^(purchase|user|testX)$")

woodcock · ‎02-27-2016

That is the normal way and I do not see much reason to deviate.

Let's say that you have a long list of things in a single string or field, you can do it like this:

This part creates a string of sufff (purely for creating something to demonstrate upon):

| noop | stats count AS api_domain | eval api_domain = "purchase, user, testX"

Then you can do something like this:

| makemv delim="," api_domain | format

Then you can use it in outer search like this:

index = blah [| noop | stats count AS api_domain | eval api_domain = "purchase, user, testX" | makemv delim="," api_domain]

Is there a better way to write OR statements in a Splunk search?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann