https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656401#M226718 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp; - I'd accept both as the solution if I could as I learned about the <FONT face="simsun,hei"><STRONG>return</STRONG> </FONT>and <FONT face="simsun,hei"><STRONG>format</STRONG> </FONT>commands from you both. I accepted <FONT face="simsun,hei"><STRONG>return</STRONG> </FONT>as the solution since I wanted to use the <FONT face="simsun,hei"><STRONG>IN</STRONG> </FONT>search, and couldn't format the <STRONG><FONT face="simsun,hei">format </FONT></STRONG>command to remove the column names from the generated string. Not sure this is right, but I ended up having to use an <STRONG><FONT face="simsun,hei">eval&nbsp;</FONT></STRONG>command to append quotesa and commas to my values, prior to the <FONT face="simsun,hei"><STRONG>return</STRONG> </FONT>statement. In the end, it was something like...&nbsp;</P><LI-CODE lang="cpp">index=syslog src_ip IN ( [ | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = "\"".IP."\"," | return $IP ] )</LI-CODE><P>&nbsp;Thanks again!</P> Fri, 01 Sep 2023 09:53:30 GMT makelovenotwar 2023-09-01T09:53:30Z https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656321#M226691 <P class="lia-align-left">How do I use a search to generate values to use inside of an <STRONG>IN</STRONG> search? For example:</P><P class="lia-align-left">&nbsp;</P><P>&nbsp;</P><LI-CODE lang="c">index=syslog src_ip IN ( | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = mvjoin(IP, ",")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I tried the method above but it's not working. Thank you!</P> Thu, 31 Aug 2023 20:08:56 GMT https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656321#M226691 makelovenotwar 2023-08-31T20:08:56Z https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656330#M226693 <P>Don't bother.&nbsp; <FONT face="courier new,courier">IN</FONT> optimizes to a series of <FONT face="courier new,courier">OR</FONT>s so just start with that.</P><LI-CODE lang="markup">index=syslog [ | tstats count from datamodel=Random by ips | rename ips as src_ip | fields src_ip | format ]</LI-CODE><P>The subsearch will run first and use the <FONT face="courier new,courier">format</FONT> command to produce a string like "(src_ip=1.2.3.4 OR src_ip=2.3.4.5)" which will become part of the main search.</P> Thu, 31 Aug 2023 20:21:56 GMT https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656330#M226693 richgalloway 2023-08-31T20:21:56Z https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656368#M226710 <P>What&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets&nbsp; - but you could do it like this - but you wouldn't really want to...</P><LI-CODE lang="markup">index=syslog src_ip IN ( [ | tstats count from datamodel=Random by ips | stats values(ips) as IP ``` You could technically do this, but it's not necessary | eval IP = mvjoin(IP, ",")``` ``` Use this return $ statement to return a space separated string but you could technically use the mvjoin and have a comma separated one``` | return $IP ] )</LI-CODE><P>&nbsp;</P> Fri, 01 Sep 2023 06:57:44 GMT https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656368#M226710 bowesmana 2023-09-01T06:57:44Z https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656401#M226718 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp; - I'd accept both as the solution if I could as I learned about the <FONT face="simsun,hei"><STRONG>return</STRONG> </FONT>and <FONT face="simsun,hei"><STRONG>format</STRONG> </FONT>commands from you both. I accepted <FONT face="simsun,hei"><STRONG>return</STRONG> </FONT>as the solution since I wanted to use the <FONT face="simsun,hei"><STRONG>IN</STRONG> </FONT>search, and couldn't format the <STRONG><FONT face="simsun,hei">format </FONT></STRONG>command to remove the column names from the generated string. Not sure this is right, but I ended up having to use an <STRONG><FONT face="simsun,hei">eval&nbsp;</FONT></STRONG>command to append quotesa and commas to my values, prior to the <FONT face="simsun,hei"><STRONG>return</STRONG> </FONT>statement. In the end, it was something like...&nbsp;</P><LI-CODE lang="cpp">index=syslog src_ip IN ( [ | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = "\"".IP."\"," | return $IP ] )</LI-CODE><P>&nbsp;Thanks again!</P> Fri, 01 Sep 2023 09:53:30 GMT https://community.splunk.com/t5/Splunk-Search/Generate-values-for-IN-search/m-p/656401#M226718 makelovenotwar 2023-09-01T09:53:30Z