Solved: Re: Search a field for multiple values

tmarlette · ‎12-13-2012

I am attempting to search a field, for multiple values.

this is the syntax I am using:

< mysearch > field=value1,value2 | table _time,field

The ',' doesn't work, but I assume there is an easy way to do this, I just can't find it the documentation.

Does anyone have any ideas?

cphair · ‎12-13-2012

Use field=value1 OR field=value2.

View solution in original post

pkisplunk · ‎10-04-2020

You can use the `IN` operator like:

error_code IN (4*, 500, 502, 503)

You can have both concrete values and wildcards.

See https://www.splunk.com/en_us/blog/tips-and-tricks/smooth-operator-searching-for-multiple-field-value...

Eze · ‎06-17-2020

field IN (value1,value2,value3)

Example:

index=network severity IN (low,high,medium)

cphair · ‎12-13-2012

Use field=value1 OR field=value2.

Georgin · ‎11-25-2015

Should value1 or value2 be enclosed in quotes?

ReddySk · ‎08-07-2019

Hello,
I am trying to combine it with my search string but no result is returned.

index=index1  type=transaction (host="host1" OR host="host2" OR host="host3")

What is wrong?

Thanks, Regards, Rudo

cphair · ‎07-26-2016

@Georgin: It doesn't have to be quoted unless the value itself contains separators. E.g. field=0 OR field=1 is fine, but you would have to use quotes for field="My String With Spaces".

splunkdevabhi · ‎07-25-2016

Yes . You may include it

Search a field for multiple values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation