topic Re: Is there a way to populate an &quot;IN (...)&quot; with items from subsearch? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608152#M211455 <P>Since the <FONT face="courier new,courier">IN</FONT> operator is mapped to a series of <FONT face="courier new,courier">OR</FONT>s under the covers, use the <FONT face="courier new,courier">OR</FONT> output produced by the subsearch.</P><P>&nbsp;</P><LI-CODE lang="markup">index=x accountid [ search index=special_accounts | rename accountid as query | fields query | format ]</LI-CODE><P>&nbsp;</P> Wed, 03 Aug 2022 18:32:22 GMT richgalloway 2022-08-03T18:32:22Z Is there a way to populate an "IN (...)" with items from subsearch? https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608150#M211453 <P>Is there a way to populate the items in an "IN" statement with the results of a sub query?&nbsp; I've tried several variations.</P> <P>index=x accountid IN ( [ search index=special_accounts | rename accountid as query ] )&nbsp;</P> Wed, 03 Aug 2022 17:49:41 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608150#M211453 spinnerdog 2022-08-03T17:49:41Z Re: Is there a way to populate an "IN (...)" with items from subsearch? https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608152#M211455 <P>Since the <FONT face="courier new,courier">IN</FONT> operator is mapped to a series of <FONT face="courier new,courier">OR</FONT>s under the covers, use the <FONT face="courier new,courier">OR</FONT> output produced by the subsearch.</P><P>&nbsp;</P><LI-CODE lang="markup">index=x accountid [ search index=special_accounts | rename accountid as query | fields query | format ]</LI-CODE><P>&nbsp;</P> Wed, 03 Aug 2022 18:32:22 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608152#M211455 richgalloway 2022-08-03T18:32:22Z Re: Is there a way to populate an "IN (...)" with items from subsearch? https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608153#M211456 <P class="lia-align-left">Okay, thanks.&nbsp; Was trying to work around using the format command, but maybe there is a way to use it differently.&nbsp; How can you make the format command produce output like.</P><P class="lia-align-left">[search index=special_accounts | table accountid | format mvsep=AND ]</P><P class="lia-align-left">where the desired output would use != instead of =</P><P class="lia-align-left">(accountid!=xxx AND accountid!=yyy AND ...)</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Thanks</P> Wed, 03 Aug 2022 18:07:11 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608153#M211456 spinnerdog 2022-08-03T18:07:11Z Re: Is there a way to populate an "IN (...)" with items from subsearch? https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608158#M211459 <P>Why avoid <FONT face="courier new,courier">format</FONT>?&nbsp; It produces the same thing that <FONT face="courier new,courier">IN</FONT> does.</P><P>You can change <FONT face="courier new,courier">OR</FONT> to <FONT face="courier new,courier">AND</FONT> in <FONT face="courier new,courier">format</FONT>, but there's no way I can find to change <FONT face="courier new,courier">=</FONT> to <FONT face="courier new,courier">!=</FONT>.&nbsp; However, "<FONT face="courier new,courier">(foo!=bar AND foo!=baz)</FONT>" is not the same as "<FONT face="courier new,courier">foo IN (bar, baz)</FONT>", which is what I thought the OP wanted.</P> Wed, 03 Aug 2022 18:31:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608158#M211459 richgalloway 2022-08-03T18:31:51Z Re: Is there a way to populate an "IN (...)" with items from subsearch? https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608160#M211461 <P>correct, its just the inverse of what the format command produces.&nbsp; I have a list of valid values and I want the events with invalid values.&nbsp; Was hoping to use something line NOT IN (...).&nbsp; But that's not an option and I also can't find a way to change = to "!=".</P> Wed, 03 Aug 2022 18:36:36 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608160#M211461 spinnerdog 2022-08-03T18:36:36Z Re: Is there a way to populate an "IN (...)" with items from subsearch? https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608180#M211471 <P>Oh!&nbsp; That's easy!&nbsp; Just negate the subsearch.</P><LI-CODE lang="markup">index=x accountid NOT [ search index=special_accounts | rename accountid as query | fields query | format ]</LI-CODE><P>It'll give you <FONT face="courier new,courier">NOT (foo=bar OR foo=baz)</FONT></P> Wed, 03 Aug 2022 20:18:10 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-populate-an-quot-IN-quot-with-items-from/m-p/608180#M211471 richgalloway 2022-08-03T20:18:10Z