topic Re: Comparing multivalue field with single value field (v6.5.2) in Splunk Search

Comparing multivalue field with single value field (v6.5.2)

esmonder — Fri, 27 Apr 2018 06:21:11 GMT

I was looking for a way to input multiple text inputs on a dashboard and searching the inputs against a single value field, and I have concluded that splunk has no other way to handle multi text input with the exception of created an inputlookup table or creating a multivalue input and using makemv and mvexpand. (correct me if i am wrong). And i do not want to create a inputlookup table

Problem now is how would i compare the values in the multivalue field and a single value field
Below is my spl:

mysearch [stats count| eval my_mv="$IPs$"|makemv my_mv delim="," | mvexpand my_mv ]

basically i have an input of multiple IPs(my_mv) and i want to search these IPs against an existing srcip field and return the events associated with the matched srcip.

Thanks!

Re: Comparing multivalue field with single value field (v6.5.2)

somesoni2 — Fri, 27 Apr 2018 15:31:43 GMT

If you're using Splunk 6.6 OR above, you get an IN operator in your search command using which you can search multiple values. I belive something like this would work (for comma separated list of IPs)

mysearch src_ip IN ($IPs$)

See this for more details

http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Search#Multiple_field-value_comparisons_with_the_IN_operator

Re: Comparing multivalue field with single value field (v6.5.2)

DalJeanis — Fri, 27 Apr 2018 22:58:18 GMT

A multiselect input field can produce an output token value that looks like...

( ( field1="value1" ) OR ( field1="value2" ) OR ( field1="value3" ) ... )

You do that by setting the input's <valueprefix> and <valuesuffix> and <delimiter> tags.

See this for more info https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/PanelreferenceforSimplifiedXML

You can create a similar effect in code, by putting the code inside the brackets of a subsearch, using the format command with parameters as desired, and then optionally using a rex mode=sed field=search "s/some thing/some other thing/g" command to customize some thing into some other thing.

Re: Comparing multivalue field with single value field (v6.5.2)

esmonder — Mon, 30 Apr 2018 02:51:15 GMT

Hi somesoni2, i am aware of the IN operator for 6.6 and beyond, unfortunately, we would not be upgrading the Splunk platform anytime soon 😞