Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search multiple literals in the same event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search multiple literals in the same event
I am searching an index for 22 different literals. Each one of the events could have 2 or three contained in each event. How do I set up the search to look through the list of all 22. I can not set it up as an AND or an OR operator.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My suggestion would be to enter your terms into a file that you then use as a lookup in Splunk. By using a subsearch that reads from this lookup file, you can easily construct a search that will automatically add all terms that you want to look for.
The lookup file could look something like:
literal
"Failure populating the cust_doc_metadata table"
"Failure calling proxy.fillAndCreateDocuments"
"EOutputServiceException"
"No rule found"
The important thing is to have a header in the first row so that Splunk can parse this as a proper lookup file.
Then, setup your search that uses inputlookup in a subsearch. Let's call the lookup you've constructed "literals".
[| inputlookup literals | return $literal]
This subsearch will expand to something like
(("Failure populating the cust_doc_metadata table") OR ("Failure calling proxy.fillAndCreateDocuments") OR ("EOutputServiceException") OR ("No rule found") OR ... )
which should do what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is a list literals that may be found in a single event. There could be more than one in the same event. I can not use an AND or OR operator in the search string. I need the syntax for the search string if there is more than one of the literals in some of the events
"Failure populating the cust_doc_metadata table"
"Failure calling proxy.fillAndCreateDocuments"
"EOutputServiceException"
"No rule found"
"Failure retrieving the shared document objectId"
"Server communication failure"
"java.net.SocketException: Connection reset"
"DFC_DOCBROKER_REQUEST_FAILED"
"DFC_SESSION_TRANSACTION_ACTIVE"
"DM_SYSOBJECT_E_CANT_ACCESS_FILE"
"DM_FOLDER_E_PATH_EXISTS"
"DM_SESSION_E_TRANSACTION_ERROR"
"DM_SYSOBJECT_E_LINK_PERMIT2"
"DM_SESSION_E_RPC_ERROR"
"DM_OBJ_MGR_E_SAVE_FAIL"
"Failure converting"
"Unparseable date:"
"Bad string detected"
"Could not connect to SMTP host"
"Unknown SMTP host:"
"ERROR"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry, but I think that more information could still be needed. What kind of log do you have? In what way are events structured, if at all? CSV, key/value, XML, unstructured text, etc etc
Please provide a few real events, but feel free to mask any sensitive information with xxxx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A clarifying example, please?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
