Multiple where values

ashishlal82 · ‎08-25-2016

how can I use multiple values in where clause

for ex:index=xyz sourcetype=abc | dedup name | where name="2009-2274" 2009-2271"

This is giving me an error, can I use OR clause to get field values for the above mentioned values

DalJeanis · ‎02-28-2017

Yes, you can use OR. The actual issue there is probably that you are missing the word OR and missing a quote before the value 2009-2271.

jbanerje · ‎02-28-2017

Multiple conditions can be checked by the where clause as shown below :

| inputlookup test.csv | where like(field1, "IP") and not like(field2, "Pass")

sundareshr · ‎08-25-2016

Yes, you can use OR, like this where name="abc" OR name="xyz" OR you can use ... | search name="abc" OR name="xyz". Having said that, you should always try to reduce as much as you can in the first (implicit) search command in terms of efficiency. So I would change your query to

index=xyz sourcetype=abc (name="2009-2274" OR name="2009-2271") | dedup name

Multiple where values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Multiple where values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future