topic How do you use the IN function with a free text search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416379#M119843 <P>I would like to search the entire record for a list of text strings using the IN function.</P> <P>At the moment, I have a search that looks a bit like</P> <PRE><CODE> (a OR b OR c) AND message_type=foo </CODE></PRE> <P>which finds <CODE>za</CODE>, <CODE>zb</CODE>, <CODE>zc</CODE> etc. in the field <CODE>video_type</CODE></P> <P>I would rather use something like</P> <PRE><CODE> video_type IN (a, b, c) AND message_type=foo </CODE></PRE> <P>or</P> <PRE><CODE> _raw IN (a, b, c) AND message_type=foo </CODE></PRE> <P>Because I want to use the search in a dashboard and have users paste <CODE>a</CODE>, <CODE>b</CODE>, and <CODE>c</CODE> in an input.</P> <P>But free text search doesn't work if you specify a field to search in ā€” it only seems to find exact matches.</P> Wed, 27 Feb 2019 17:37:45 GMT toryan 2019-02-27T17:37:45Z How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416379#M119843 <P>I would like to search the entire record for a list of text strings using the IN function.</P> <P>At the moment, I have a search that looks a bit like</P> <PRE><CODE> (a OR b OR c) AND message_type=foo </CODE></PRE> <P>which finds <CODE>za</CODE>, <CODE>zb</CODE>, <CODE>zc</CODE> etc. in the field <CODE>video_type</CODE></P> <P>I would rather use something like</P> <PRE><CODE> video_type IN (a, b, c) AND message_type=foo </CODE></PRE> <P>or</P> <PRE><CODE> _raw IN (a, b, c) AND message_type=foo </CODE></PRE> <P>Because I want to use the search in a dashboard and have users paste <CODE>a</CODE>, <CODE>b</CODE>, and <CODE>c</CODE> in an input.</P> <P>But free text search doesn't work if you specify a field to search in ā€” it only seems to find exact matches.</P> Wed, 27 Feb 2019 17:37:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416379#M119843 toryan 2019-02-27T17:37:45Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416380#M119844 <P>@toryan IN will look for exact value and not a substring. Probably you can use match function instead.</P> Wed, 27 Feb 2019 17:54:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416380#M119844 Vijeta 2019-02-27T17:54:07Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416381#M119845 <P>As the search is used in dashboard, the user inputs can be collected in a token and run against search. Do you see any issues with that? you don't need to use IN<BR /> your base search message_type=foo| search (video_type=$tokenA$ OR video_type=$tokenB$) </P> Tue, 29 Sep 2020 23:27:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416381#M119845 lakshman239 2020-09-29T23:27:19Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416382#M119846 <P>I want users to be able to input any number of values, separated by commas, in an input. So using $a OR $b etc will not work.</P> Fri, 01 Mar 2019 11:48:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416382#M119846 toryan 2019-03-01T11:48:44Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416383#M119847 <P>@Vijeta how would that work? Can you provide an example?</P> Fri, 01 Mar 2019 13:32:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416383#M119847 toryan 2019-03-01T13:32:15Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416384#M119848 <P>Isn't this just a case where you could use wildcards like a*, b*, c*?</P> Tue, 29 Sep 2020 23:28:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416384#M119848 gjanders 2020-09-29T23:28:31Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416385#M119849 <P>Try <BR /> match(video_type, ā€œa|b|c|dā€)</P> Sun, 03 Mar 2019 03:51:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416385#M119849 Vijeta 2019-03-03T03:51:06Z Re: How do you use the IN function with a free text search? https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416386#M119850 <P>This still doesn't allow users to enter the search terms in an input field.</P> Tue, 05 Mar 2019 07:17:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-IN-function-with-a-free-text-search/m-p/416386#M119850 toryan 2019-03-05T07:17:50Z