Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for events that have only specific multiple values in a field

RowdyRodney
New Member
‎04-28-2025 07:53 PM

Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use this:

(my_field_name="value1" AND my_field_name="value2")

This still returns results that have either value1, or value2, not events that contain both. How would I query for results that contain only both values, not individual values?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-28-2025 08:58 PM

That doesn't sound right - are you referring to a multi-value field?

| makeresults
| fields - _time
| eval value=split("ABC","")
| search value=A AND value=C

This search above will find a result for A and C, but if you change it to A and D it does not find results.

Can you give an example of your results in the OR case

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2025 12:09 AM

If you want for value to contain only those two values, you could modify @bowesmana 's solution like so

| makeresults
| fields - _time
| eval value=split("ABC","")
| where mvcount(value)=2
| search value=A AND value=C
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...