Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I have 2 searches in one string to shorten my search for information from 2 hosts?

shingdayho
Explorer
‎11-11-2014 05:15 AM

Hi,

I want to find information from 2 hosts, I can do it by running the command below:

192.168.144.1 OR 192.168.244.1

However I want to shorten this, I thought it would look something like the command below but it doesnt work.

192.168.[search 144 OR 244].1

Tags (2)
0 Karma
Reply

tachifelix
Path Finder
‎12-12-2014 12:50 AM

Use rex command in your search string like this:

...|rex "(?i)(?P<Host>192.168.144.1|192.168.244.1)" |search Host|.....
0 Karma
Reply

sves
Explorer
‎11-12-2014 04:39 AM

Hi,

This boils down to understanding how SPL work.
The search 192.168.(144 OR 244).1 work because you really do a free-text search. And this free-text search can be broken into three parts: 192.168. (144 OR 244) .1. Which is just the same as writing "192.168." AND (144 OR 244) AND ".1", or ".1" AND "192.168." AND (144 OR 244)

If you check Job inspector, you will find good information on this. E.g. Splunk translate 192.168.(144 OR 244).1 into
keywords *.1* *192.168.* 144 244

This approach will not work as expected when searching in specific fields. Again, this is because Splunk break up the search into multiple statements.
srcIP=192.168.(144 OR 244).1 will be the same as writing srcIP="192.168." AND (144 OR 244) AND ".1", where (144 OR 244) AND ".1" is a free-text search.

Cheers!
#Sven Emil

Reply

Muryoutaisuu
Communicator
‎11-12-2014 05:44 AM

Aaah. Thank you alot!

0 Karma
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎11-11-2014 01:00 PM

There is no way to express exactly what you want. Btw while the following does not do the right thing

192.168. ( 144 OR 244 ) .1

May I ask what's the reason/value in shortening the search string?

0 Karma
Reply

Muryoutaisuu
Communicator
‎11-12-2014 12:31 AM

192.168. ( 144 OR 244 ) .1 surely does not do the right thing, because you have 3 independent strings due to blank between the values and the brackets. I tested my approach | search 192.168.(144 OR 244).1 and it worked fine. Still I can't get it to work with a field e.g.: | search srcIP=192.168.(144 OR 244).1

0 Karma
Reply

Muryoutaisuu
Communicator
‎11-11-2014 05:28 AM

Not sure if it does work:
192.168.(144 OR 244).1
Round brackets without subsearch.

Reply

shingdayho
Explorer
‎11-11-2014 05:31 AM

I swear I tried that before! That works, thanks!

0 Karma
Reply

Muryoutaisuu
Communicator
‎11-11-2014 05:55 AM

spooky 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...