https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44395#M179197 <P>We can all celebrate v6.6.1:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures</A></P> <P>Because this:<BR /> New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.</P> <P>So this:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29</A></P> <P>And this:<BR /> You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions with other commands.<BR /> There is also an IN operator that is similar to the in(VALUE-LIST) function that you can use with the search and tstats commands.<BR /> The following syntax is supported:<BR /> ...| where in(field,"value1","value2", ...)<BR /> ...| where field in("value1","value2", ...)<BR /> ...| eval new_field=in(field,"value1","value2", ...)</P> Wed, 04 Oct 2017 15:09:43 GMT woodcock 2017-10-04T15:09:43Z https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44391#M179193 <P>I'm trying to create a search form that can take a comma separated list. In sql I would use the 'IN' command.</P> <P>If the form allowed for a comma separated list like "Honda,Chevorlet,FORD,TOYOTA"<BR /> I guess the search would look similar to this.</P> <P>search index=Cars CAR_MAKE IN ($CAR_MAKE$)|table CAR_MAKE CAR_MODEL</P> <P>Any Ideas?</P> Mon, 28 Sep 2020 13:24:06 GMT https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44391#M179193 marquiselee 2020-09-28T13:24:06Z https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44392#M179194 <P>Map might work for you, but the more in the list, the longer it takes.</P> <P><CODE>|eval cars=$car_make$|eval car=split(cars,",")|map [search index=Cars car=$car$]</CODE></P> <P>You can also try using a lookup. In <CODE>$APP_HOME/lookups</CODE> make a "cars.csv".</P> <P><CODE>cars.csv<BR /> car<BR /> Ford<BR /> Toyota<BR /> Honda</CODE></P> <P>Then search</P> <P><CODE>index=Cars | join car [|inputlookup cars.csv |stats count by car|fields - count]</CODE></P> Tue, 26 Feb 2013 20:49:32 GMT https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44392#M179194 alacercogitatus 2013-02-26T20:49:32Z https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44393#M179195 <P>You could use this subquery in the main search:</P> <PRE><CODE>index=Cars [| gentimes start=-1 increment=1d | eval CAR_MAKE = "foo,bar,baz" | makemv CAR_MAKE delim="," | mvexpand CAR_MAKE | return 100 CAR_MAKE] </CODE></PRE> <P>The subsearch yields this as a filter for the main search:</P> <PRE><CODE>(CAR_MAKE="foo") OR (CAR_MAKE="bar") OR (CAR_MAKE="baz") </CODE></PRE> <P>Just replace the fixed string with the appropriate $value$.</P> Tue, 26 Feb 2013 21:24:58 GMT https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44393#M179195 martin_mueller 2013-02-26T21:24:58Z https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44394#M179196 <P>This worked perfectly! Thank You Thank You</P> Tue, 26 Feb 2013 22:51:10 GMT https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44394#M179196 marquiselee 2013-02-26T22:51:10Z https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44395#M179197 <P>We can all celebrate v6.6.1:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures</A></P> <P>Because this:<BR /> New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.</P> <P>So this:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29</A></P> <P>And this:<BR /> You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions with other commands.<BR /> There is also an IN operator that is similar to the in(VALUE-LIST) function that you can use with the search and tstats commands.<BR /> The following syntax is supported:<BR /> ...| where in(field,"value1","value2", ...)<BR /> ...| where field in("value1","value2", ...)<BR /> ...| eval new_field=in(field,"value1","value2", ...)</P> Wed, 04 Oct 2017 15:09:43 GMT https://community.splunk.com/t5/Splunk-Search/Splunks-equivalent-to-the-SQL-quot-IN-quot-function/m-p/44395#M179197 woodcock 2017-10-04T15:09:43Z