Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for events that have only specific multiple values in a field

RowdyRodney
Engager
‎04-28-2025 07:53 PM

Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use this:

(my_field_name="value1" AND my_field_name="value2")

This still returns results that have either value1, or value2, not events that contain both. How would I query for results that contain only both values, not individual values?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-28-2025 08:58 PM

That doesn't sound right - are you referring to a multi-value field?

| makeresults
| fields - _time
| eval value=split("ABC","")
| search value=A AND value=C

This search above will find a result for A and C, but if you change it to A and D it does not find results.

Can you give an example of your results in the OR case

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2025 12:09 AM

If you want for value to contain only those two values, you could modify @bowesmana 's solution like so

| makeresults
| fields - _time
| eval value=split("ABC","")
| where mvcount(value)=2
| search value=A AND value=C
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...