Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a better way to write my search currently using boolean OR operators to make it shorter or more efficient?

HattrickNZ
Motivator
‎03-18-2015 07:02 PM

I have the following search with OR operators

index=index1 host=host1 elementType=ET  measInfoId=117440551 OR measInfoId=117440572 OR measInfoId=117490518 |

Is there a better way of writing the OR part of this search, be it shorter or more efficient?

measInfoId=117440551 OR measInfoId=117440572 OR measInfoId=117490518
Tags (3)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-19-2015 01:31 PM

There isn't a quick and easy way to make this perform better / be more efficient. Splunk's use of boolean AND/OR/NOT is generally very efficient up until you have several thousand terms in your search.

Syntactically, though, you may want something to sweeten it. Folks have brought up before the concept of field IN (aaa,bbb,ccc) as syntactic sugar around OR. This doesn't exist though.

If your list of items is LONG (tens / hundreds) you can make a CSV file and use a lookup, say called measInfoId.csv like so:

measInfoId
117440551
117440572 
117490518

And then use the inputlookup command to drag it in. It produces the same long list of OR statements just without putting your "O" and "R" keys through such a workout.

 index=index1 host=host1 elementType=ET [ | inputlookup measInfoId.csv ]
Reply

fdi01
Motivator
‎03-19-2015 05:07 AM

try like this:

 measInfoId=1174(40551 OR 40572 OR 90518 )

ex:
 index=index1 host=host1 elementType=ET  measInfoId=1174(40551 OR 40572 OR 90518 )
Reply

HattrickNZ
Motivator
‎03-19-2015 01:11 PM

Tried both these and they did not work

... measInfoId=1174(40551)

... measInfoId=1174(40551 OR 40572 OR 90518)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...