topic Re: Issue with using "search IN" command within map in Splunk Search

Issue with using "search IN" command within map

Kristian_86 — Thu, 30 Nov 2023 17:35:42 GMT

Hello,
I have the following issue, do you know any solution or workaround?
(Or maybe I declared something wrongly...)
When using a comma separated field values in MAP within the IN command, it is not working from the outer search. But when I write out the value of that outside field, it is recognized.

Re: Issue with using "search IN" command within map

bowesmana — Thu, 30 Nov 2023 22:05:23 GMT

Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for

| search ips IN ("a,c,x")

you also get no results

You could do it differently using where, for example this works

| eval outer_ips=split($ips$, ",") | where ips=outer_ips

or this

| where match($ips$, ips)

assuming your use case is IP addresses, the where option also allows for cirdmatch if that is useful.

Re: Issue with using "search IN" command within map

Kristian_86 — Mon, 04 Dec 2023 15:09:28 GMT

Thank you for your answer, it helped me out. 🙂
The final version was a bit more trickier as in the ips field can be an "*" instead of any listed values and in that case any of the found values should be considered.
So this was the final solution:

Re: Issue with using "search IN" command within map

bowesmana — Mon, 04 Dec 2023 21:38:01 GMT

Just as an aside on the use of map, note that it is not a practical command for use on large datasets, as each map result gets executed in its own serial search, so it can take time and depending on the search can cause a lot of overhead to iterate through large result sets.

Often there is an alternative way to write the search (but not always). Depends on the use case.