splunksplunk-query

Multifields search in Splunk without knowing field names


There are some two values V1 and V2 and I do not know index field names. How should be looked request if I wanna have in selection response the following:

unknown-field-name1 = V1
unknown-field-name2 = V2

I am a beginner in Splunk world and just tried to use "V1 AND V2", but it doesn't work.


Solution

  • Not knowing the field name is definitely going to be tricky when it comes to processing it later, but what you'll want to do is this:

    index=ndx sourcetype=srctp "V1" "V2"
    

    By default, Splunk ANDs all search terms.

    So if you're looking for "V1" and "V2" in the same event, you just need to quote all of the individual terms you're looking for.

    Depending on your data, you may get better performance using TERM(), too:

    index=ndx sourctype=srctp TERM("V1") TERM("V2")