Solved: Re: Search a field for multiple values

tmarlette · ‎12-13-2012

I am attempting to search a field, for multiple values.

this is the syntax I am using:

< mysearch > field=value1,value2 | table _time,field

The ',' doesn't work, but I assume there is an easy way to do this, I just can't find it the documentation.

Does anyone have any ideas?

cphair · ‎12-13-2012

Use field=value1 OR field=value2.

View solution in original post

pkisplunk · ‎10-04-2020

You can use the `IN` operator like:

error_code IN (4*, 500, 502, 503)

You can have both concrete values and wildcards.

See https://www.splunk.com/en_us/blog/tips-and-tricks/smooth-operator-searching-for-multiple-field-value...

Eze · ‎06-17-2020

field IN (value1,value2,value3)

Example:

index=network severity IN (low,high,medium)

cphair · ‎12-13-2012

Use field=value1 OR field=value2.

Georgin · ‎11-25-2015

Should value1 or value2 be enclosed in quotes?

ReddySk · ‎08-07-2019

Hello,
I am trying to combine it with my search string but no result is returned.

index=index1  type=transaction (host="host1" OR host="host2" OR host="host3")

What is wrong?

Thanks, Regards, Rudo

cphair · ‎07-26-2016

@Georgin: It doesn't have to be quoted unless the value itself contains separators. E.g. field=0 OR field=1 is fine, but you would have to use quotes for field="My String With Spaces".

splunkdevabhi · ‎07-25-2016

Yes . You may include it

Search a field for multiple values

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Search a field for multiple values

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases