Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search a field for multiple values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tmarlette
Motivator
12-13-2012
11:29 AM
I am attempting to search a field, for multiple values.
this is the syntax I am using:
< mysearch > field=value1,value2 | table _time,field
The ',' doesn't work, but I assume there is an easy way to do this, I just can't find it the documentation.
Does anyone have any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cphair
Builder
12-13-2012
11:57 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pkisplunk
Explorer
10-04-2020
11:30 PM
You can use the `IN` operator like:
error_code IN (4*, 500, 502, 503)
You can have both concrete values and wildcards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eze
Engager
06-17-2020
04:22 AM
field IN (value1,value2,value3)
Example:
index=network severity IN (low,high,medium)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cphair
Builder
12-13-2012
11:57 AM
Use field=value1 OR field=value2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Georgin
Engager
11-25-2015
06:27 AM
Should value1 or value2 be enclosed in quotes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ReddySk
Engager
08-07-2019
06:04 AM
Hello,
I am trying to combine it with my search string but no result is returned.
index=index1 type=transaction (host="host1" OR host="host2" OR host="host3")
What is wrong?
Thanks, Regards, Rudo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cphair
Builder
07-26-2016
05:06 AM
@Georgin: It doesn't have to be quoted unless the value itself contains separators. E.g. field=0 OR field=1 is fine, but you would have to use quotes for field="My String With Spaces".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkdevabhi
Explorer
07-25-2016
12:16 AM
Yes . You may include it
Get Updates on the Splunk Community!
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
