https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585083#M203809 <P>This can be slightly simplified by renaming myField to query in the subsearch because the format command treats this as a special case and doesn't include the "query=" in the formatted string</P><LI-CODE lang="markup">... myField IN ( [ search ... ```We only need one field``` | fields myField ```Remove duplicate values``` | dedup myField ``` rename field to query | rename myField as query ```Format the results using no delimeters``` | format mvsep="" "" "" "" "" "" "" ] )</LI-CODE> Tue, 15 Feb 2022 07:09:55 GMT ITWhisperer 2022-02-15T07:09:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585035#M203800 <P>&nbsp;</P><P>I tried this :&nbsp;</P><P><STRONG>.... myField IN (</STRONG><BR /><STRONG>[search ..| table myField])</STRONG></P><P>Where the values passed to the IN operator will be calculate dynamically from another search&nbsp;</P><P>But that returns&nbsp;</P><P><SPAN>Unable to parse the search: Right hand side of IN must be a collection of literals. '((myField = "123") OR (myField = "1234")&nbsp;</SPAN></P><P><SPAN>How can I do this?</SPAN></P> Mon, 14 Feb 2022 21:02:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585035#M203800 yk010123 2022-02-14T21:02:35Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585046#M203801 <P>Subsearches aren't designed to work with the IN operator since IN is relatively new.&nbsp; We can make it work, however.&nbsp; Try this</P><LI-CODE lang="markup">... myField IN ( [ search ... ```We only need one field``` | fields myField ```Remove duplicate values``` | dedup myField ```Format the results using no delimeters``` | format mvsep="" "" "" "" "" "" "" ```Remove "myField=" from the formatted string``` | eval search=replace(search, "myField =", "") ]</LI-CODE> Tue, 15 Feb 2022 01:27:04 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585046#M203801 richgalloway 2022-02-15T01:27:04Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585083#M203809 <P>This can be slightly simplified by renaming myField to query in the subsearch because the format command treats this as a special case and doesn't include the "query=" in the formatted string</P><LI-CODE lang="markup">... myField IN ( [ search ... ```We only need one field``` | fields myField ```Remove duplicate values``` | dedup myField ``` rename field to query | rename myField as query ```Format the results using no delimeters``` | format mvsep="" "" "" "" "" "" "" ] )</LI-CODE> Tue, 15 Feb 2022 07:09:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585083#M203809 ITWhisperer 2022-02-15T07:09:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585268#M203889 <P>Or you can simplify to this in most cases:</P><LI-CODE lang="markup">&lt;your-search&gt; [search &lt;the search you wish to write&gt; | table myField]</LI-CODE><P>- As far as field name myField is common in both searches.</P><P>- Splunk will automatically add the <STRONG>IN</STRONG> operator.</P> Wed, 16 Feb 2022 06:16:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585268#M203889 VatsalJagani 2022-02-16T06:16:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585336#M203922 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93915">@VatsalJagani</a>&nbsp;wrote:<BR /><P>- Splunk will automatically add the <STRONG>IN</STRONG> operator.</P><HR /></BLOCKQUOTE><P>Not exactly.&nbsp; Splunk will automatically convert the subsearch into a series of OR clauses, which is the same thing it does with the IN operator.<BR /><BR /></P> Wed, 16 Feb 2022 12:54:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585336#M203922 richgalloway 2022-02-16T12:54:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585390#M203951 <P>Yeah, that is correct both will be converted to OR operators but those are one or the same thing. So to avoid confusion I generally say IN operator.</P><P>But thanks for clarification.</P> Wed, 16 Feb 2022 16:11:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/585390#M203951 VatsalJagani 2022-02-16T16:11:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/667373#M228949 <P>Incredible answer!</P> Sat, 04 Nov 2023 12:50:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/667373#M228949 lmonahan 2023-11-04T12:50:07Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/667374#M228950 <P>Another incredible answer!&nbsp; These helped me a lot!</P> Sat, 04 Nov 2023 12:50:27 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-dynamic-values-to-the-IN-operator/m-p/667374#M228950 lmonahan 2023-11-04T12:50:27Z