Database Reference
In-Depth Information
The implied AND
If you want to search on more than one term, there is no need to add AND as it is already
implied. If, for example, you want to search for all tweets that include both the text "cof-
fee" and the text "morning", then use:
index=twitter text=*coffee* text=*morning*
If you don't specify
text=
for the second term and just put
*morning*
, Splunk assumes
that you want to search for
*morning*
in any field. Therefore, you could get that word in
another field in an event. This isn't very likely in this case, although
coffee
could con-
ceivably be part of a user's name, such as "coffeelover". But if you were searching for other
text strings, such as a computer term like
log
or
error
, such terms could be found in a
number of fields. So specifying the field you are interested in would be very important.
