Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search is returning unwanted data.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jsven7
Communicator
06-15-2017
06:43 AM
index=myindex server="server1234" OR "server1235" OR "server1236" OR "server1237" OR "server1238" | stats count(_raw) by server
results:
server1234
server123456 <----- why am I getting this?
server1235
server1236
server1237
server1238
server12347 <----- why am I getting this?
server12348 <----- why am I getting this?
server123890 <----- why am I getting this?
How do I only get in return what I asked for? Thanks in advanced.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
06-15-2017
06:55 AM
those are open strings. try this:
index=myindex server="server1234" OR server="server1235" OR server="server1236" OR server="server1237" OR server="server1238" | stats count(_raw) by server
or if you have splunk 6.6:
index=myindex server IN ("server1234" ,"server1235","server1236", "server1237", "server1238") | stats count(_raw) by server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
06-15-2017
06:55 AM
those are open strings. try this:
index=myindex server="server1234" OR server="server1235" OR server="server1236" OR server="server1237" OR server="server1238" | stats count(_raw) by server
or if you have splunk 6.6:
index=myindex server IN ("server1234" ,"server1235","server1236", "server1237", "server1238") | stats count(_raw) by server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jsven7
Communicator
06-15-2017
07:15 AM
I see. thank you sir.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-15-2017
07:27 AM
@cmerriman - I believe you are missing a close paren in the splunk 6.6 example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jsven7
Communicator
06-15-2017
07:38 AM
i don't see that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jsven7
Communicator
06-15-2017
07:41 AM
oh you must've edited it before I saw.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
06-15-2017
07:37 AM
thanks @DalJeanis . i was missing a quote too...just have really hit backspace on accident a few times.
Get Updates on the Splunk Community!
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!
Discover how Splunk’s agentic AI ...
