Limit on number of OR conditions in a search query

keerthana_k · ‎12-29-2015

Hi,

I would like to know if there is a limit to the number of OR conditions that we can include as part of a search query?

Thanks,

Keerthana

renjith_nair · ‎12-29-2015

We have used more than 100 especially when splunk converts sub searches to OR conditions and even in format. So most probably there are no limits we are aware of.

If you are facing an issue in searches it might be because of other limits in http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Limitsconf

There should be better ways to write search without using a lot of OR conditions.

Happy Splunking!

jplumsdaine22 · ‎12-30-2015

Also you should get an alert in the UI if you violate any limits in the search

keerthana_k · ‎12-30-2015

Actually we are running the search in back end from a Python script where we form the search query dynamically with the OR conditions. As we are not sure of the number of conditions, I wanted to know if there was a limit.

thirumalreddyb · ‎12-30-2015

Print the search query to a file/log and run the same query in the Splunk UI. This might help you understand whether your query has any other errors and search violations or any. As I know of, there isn't any such limit for OR.

jplumsdaine22 · ‎12-30-2015

No hard limit.

https://answers.splunk.com/answers/13480/is-there-a-character-limit-for-search-queries.html

How long are you talking about? Also I'd check the limits of your python libraries.

Limit on number of OR conditions in a search query

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!