I always understood the search
command's expressions be connected by a logical AND by default:
search customer=123 item=flower
will return events that have both customer=123 AND item=flower.
However, I was looking at the Search Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Search
Under Syntax, I see this excerpt:
<logical-expression> [OR] <logical-expression>
This reads to me like [OR]
is optional and means the same without [OR]
with a space separator, so I interpret it as:
<logical-expression> [OR] <logical-expression>
is equivalent to <logical-expression> <logical-expression>
Am I not understanding this syntax in Reference correctly?
I think you're indeed misinterpreting that syntax. When no operator is specified, AND is implied. I do agree that this can be a little confusing. You might want to post that as a feedback at the bottom of the docs page, such that the author of that page can perhaps clarify that.