https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691904#M235553 <P>The <FONT face="courier new,courier">IN</FONT> operator is not supported by the <FONT face="courier new,courier">where</FONT> command.&nbsp; You can use <FONT face="courier new,courier">IN</FONT> with the <FONT face="courier new,courier">search</FONT> command or the <FONT face="courier new,courier">in()</FONT> function with the <FONT face="courier new,courier">where</FONT> command.&nbsp; In this case, however, the <FONT face="courier new,courier">IN</FONT> is not needed if the subsearch is part of the base search (before the first pipe).</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=provisioning_index cf_org_name=abcd cf_app_name=xyz "ReconCount:" jobNumber [search index=provisioning_index cf_org_name=abcd cf_app_name=xyz operation="operation1" status=SUCCESS |search NOT jobType="Canc"|table jobNumber ] | stats count by deliveryInd | addcoltotals</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Jun 2024 17:53:29 GMT richgalloway 2024-06-28T17:53:29Z https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691900#M235551 <P>Hello,&nbsp;</P> <P>I'm fairly new to splunk, trying to search using where clause and filter the results. The query is running long, wondering if i'm not doin this right.</P> <P>a tone down version of the search:</P> <LI-CODE lang="markup">index=provisioning_index cf_org_name=abcd cf_app_name=xyz "ReconCount:" |where jobNumber IN ([search index=provisioning_index cf_org_name=abcd cf_app_name=xyz operation="operation1" status=SUCCESS |search NOT jobType="Canc"|table jobNumber ]) |stats count by deliveryInd | addcoltotals</LI-CODE> Thu, 27 Jun 2024 23:53:13 GMT https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691900#M235551 RamMur 2024-06-27T23:53:13Z https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691904#M235553 <P>The <FONT face="courier new,courier">IN</FONT> operator is not supported by the <FONT face="courier new,courier">where</FONT> command.&nbsp; You can use <FONT face="courier new,courier">IN</FONT> with the <FONT face="courier new,courier">search</FONT> command or the <FONT face="courier new,courier">in()</FONT> function with the <FONT face="courier new,courier">where</FONT> command.&nbsp; In this case, however, the <FONT face="courier new,courier">IN</FONT> is not needed if the subsearch is part of the base search (before the first pipe).</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=provisioning_index cf_org_name=abcd cf_app_name=xyz "ReconCount:" jobNumber [search index=provisioning_index cf_org_name=abcd cf_app_name=xyz operation="operation1" status=SUCCESS |search NOT jobType="Canc"|table jobNumber ] | stats count by deliveryInd | addcoltotals</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Jun 2024 17:53:29 GMT https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691904#M235553 richgalloway 2024-06-28T17:53:29Z https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691961#M235564 <P>Afte trying that , it errors out saying&nbsp;</P><P><SPAN>"Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals. '((jobNumber = "3333") OR (jobNumber = "11111")&nbsp;. OR ..."</SPAN></P> Fri, 28 Jun 2024 17:29:53 GMT https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691961#M235564 RamMur 2024-06-28T17:29:53Z https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691964#M235565 <P>Ah, I should have expected that.&nbsp; Try my revised query without <FONT face="courier new,courier">IN</FONT>.</P> Fri, 28 Jun 2024 17:51:46 GMT https://community.splunk.com/t5/Splunk-Search/Working-with-where-clause/m-p/691964#M235565 richgalloway 2024-06-28T17:51:46Z