Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search multiple literals in the same event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search multiple literals in the same event
I am searching an index for 22 different literals. Each one of the events could have 2 or three contained in each event. How do I set up the search to look through the list of all 22. I can not set it up as an AND or an OR operator.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion would be to enter your terms into a file that you then use as a lookup in Splunk. By using a subsearch that reads from this lookup file, you can easily construct a search that will automatically add all terms that you want to look for.
The lookup file could look something like:
literal
"Failure populating the cust_doc_metadata table"
"Failure calling proxy.fillAndCreateDocuments"
"EOutputServiceException"
"No rule found"
The important thing is to have a header in the first row so that Splunk can parse this as a proper lookup file.
Then, setup your search that uses inputlookup in a subsearch. Let's call the lookup you've constructed "literals".
[| inputlookup literals | return $literal]
This subsearch will expand to something like
(("Failure populating the cust_doc_metadata table") OR ("Failure calling proxy.fillAndCreateDocuments") OR ("EOutputServiceException") OR ("No rule found") OR ... )
which should do what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is a list literals that may be found in a single event. There could be more than one in the same event. I can not use an AND or OR operator in the search string. I need the syntax for the search string if there is more than one of the literals in some of the events
"Failure populating the cust_doc_metadata table"
"Failure calling proxy.fillAndCreateDocuments"
"EOutputServiceException"
"No rule found"
"Failure retrieving the shared document objectId"
"Server communication failure"
"java.net.SocketException: Connection reset"
"DFC_DOCBROKER_REQUEST_FAILED"
"DFC_SESSION_TRANSACTION_ACTIVE"
"DM_SYSOBJECT_E_CANT_ACCESS_FILE"
"DM_FOLDER_E_PATH_EXISTS"
"DM_SESSION_E_TRANSACTION_ERROR"
"DM_SYSOBJECT_E_LINK_PERMIT2"
"DM_SESSION_E_RPC_ERROR"
"DM_OBJ_MGR_E_SAVE_FAIL"
"Failure converting"
"Unparseable date:"
"Bad string detected"
"Could not connect to SMTP host"
"Unknown SMTP host:"
"ERROR"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry, but I think that more information could still be needed. What kind of log do you have? In what way are events structured, if at all? CSV, key/value, XML, unstructured text, etc etc
Please provide a few real events, but feel free to mask any sensitive information with xxxx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A clarifying example, please?
What's New in Splunk Observability - October 2025
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
