https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371243#M162076 <P>If your list is going to grow, you'd be very smart to follow @niketnilay's advice and set up a lookup table. His search structure will handle the formatting, too. </P> Thu, 22 Mar 2018 20:33:09 GMT elliotproebstel 2018-03-22T20:33:09Z https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371239#M162072 <P>Hi,<BR /> I am trying to omit search results for a field that might have a couple of different values. <BR /> any ideas how to best do this? Is EVAL or LIKE the way to go? </P> <P>Here's some sample data:<BR /> computerdisconnected="[bob sbr] [tube tue]"<BR /> computerdisconnected="[tube tue]"</P> <P><STRONG>condition-</STRONG><BR /> If the computerdisconnected contains any values like "bob or "Tube" then don't return any results. </P> <P>In other words I am getting regular reminders that these machines are disconnected, I only want NEW results so I want to keep a list of repeat offenders and ignore them.</P> <P>Thanks in advance</P> Wed, 21 Mar 2018 22:23:17 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371239#M162072 banzen 2018-03-21T22:23:17Z https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371240#M162073 <P>Do all the potential values for <CODE>computerdisconnected</CODE> get formatted like that? If so, this might work:</P> <PRE><CODE>your base search NOT "[bob*" OR "[tube*" </CODE></PRE> <P>So that's literally whatever you're searching for right now followed immediately by <CODE>NOT "[bob*" OR "[tube*"</CODE>. The opening square brackets matter, I believe.</P> Thu, 22 Mar 2018 01:03:32 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371240#M162073 elliotproebstel 2018-03-22T01:03:32Z https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371241#M162074 <P>Agree with @elliotproebstel and to add on I would move such patterns to lookup file</P> <PRE><CODE>&lt;YourBaseSearch&gt; NOT [| inputookup &lt;yourLookupFileName&gt;.csv | eval &lt;yourLookupFiledName&gt;="*".&lt;yourLookupFiledName&gt;."*" | rename &lt;yourLookupFiledName&gt; as search] | &lt;yourRemainingSearch&gt; </CODE></PRE> <P>Following is a sample search based on the data that you have provided (PS: <CODE>makeresults</CODE> used instead of inputlookup to mock up the terms to be filtered from search.</P> <PRE><CODE>&lt;YourBaseSearch&gt; NOT [| makeresults | eval lookupData="bob,tube" | makemv lookupData delim="," | mvexpand lookupData | eval lookupData="*".lookupData."*" | rename lookupData as search] | &lt;yourRemainingSearch&gt; </CODE></PRE> Thu, 22 Mar 2018 06:10:28 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371241#M162074 niketn 2018-03-22T06:10:28Z https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371242#M162075 <P>And if my list continues to grow, just keep adding OR statements? OR " " OR "" OR "" ? I can do do this, just thought there was a cleaner way, like anything <BR /> LIKE or IN ("bob*,"tube*", "next*") </P> Tue, 29 Sep 2020 18:38:00 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371242#M162075 banzen 2020-09-29T18:38:00Z https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371243#M162076 <P>If your list is going to grow, you'd be very smart to follow @niketnilay's advice and set up a lookup table. His search structure will handle the formatting, too. </P> Thu, 22 Mar 2018 20:33:09 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-multiple-values-in-field/m-p/371243#M162076 elliotproebstel 2018-03-22T20:33:09Z