Assume Splunk is indexing a bunch of structured JSON data and a keyword search such as "foo" OR "bar".
Now I want to search a list of specific fields for these keywords without writing queries like field1="foo" or field1="bar" or field2="foo" or field3="bar" as the number of keywords I have is fairly large.
This is not a problem, if the events I am searching only consists of the fields that I'm interested in. However, I have more fields for which I don't want to perform this search.
I was hoping I could do something like that:
* | fields field1,field2 | search "foo" or "bar"
However, the search command is working on the entire index again and not only the extracted values of field1,field2.
Also, I need to account for not all events having field1 and field2. Some may just have field1, others may have field2, others may have both.
Is there any way to achieve what I want here in splunk?
... View more