Solved: Is there an operator similar to the SQL 'in' opera...

dstuder · ‎10-14-2016

I've been looking through the search documentation to see if Splunk has an operator similar to the SQL 'in' operator. I'm not seeing anything so my hunch is it does not exist, but I thought I would just ask. I know I can just add on a bunch of 'or' clauses but an 'in' operator would just be a bit more concise. Any thoughts?

lguinn2 · ‎06-19-2017

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")

View solution in original post

mad4wknds · ‎10-09-2019

Note: This works but it takes way longer of this to return result than if you ran it with field=value pair

lguinn2 · ‎06-19-2017

Wish Granted!!! In Splunk 6.6 -

Search command supports IN operator

sourcetype=xyz status IN (100, 102, 103)

Eval and where commands support in function

| where in(status,"222","333","444","555")

amehta_splunk · ‎05-10-2020

The feature was introduced in Splunk 6.6 (see Release Notes) in May 2017.
Feature: New SQL-like IN SPL operator

New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.

dstuder · ‎06-19-2017

Handel's Messiah started playing in my mind as soon as I read this. 🙂

dstuder · ‎07-06-2018

Doesn't look like you can do a NOT IN yet. Urg!!

dstuder · ‎07-06-2018

Oh ... wait. I spoke too soon. It looks like it has to be this way.
... AND NOT field IN (val1, val2, val3)
as opposed to
... AND field NOT IN (val1, val2, val3)

somesoni2 · ‎06-19-2017

Superb!!! it was in my wishlist too.

inventsekar · ‎10-14-2016

SQL "in" example -
select a from A where b in (select b from B)
can be done thru subsearches -
sourcetype=a [sourcetype=B | fields b] | fields a

a good discussion on the same topic -
https://answers.splunk.com/answers/173465/whats-the-splunk-equivalent-of-sql-in-clause.html

another example -
https://answers.splunk.com/answers/26989/does-splunk-have-an-equivalent-to-sqls-in-construct.html

1) You could create a lookup (think a big csv file) where each row is one of the values in your tuple.
The lookup would have to have two columns even though in such a simple case the second one feels redundant.

in this case lets say wegive it columns called 'value' and 'weirdness' as your columns.
<your search> | lookup mylookupname fieldName | where weirdness=1
http://www.splunk.com/base/Documentation/4.2.2/User/Fieldlookupstutorial

http://www.splunk.com/base/Documentation/latest/SearchReference/Lookup

2) If the events that you're trying to match on are a tiny subset of the main events, there's another similar way that can be much more efficient. That is to use the inputlookup command within a subsearch. Essentially you're doing that gigantic OR search, butin an automated way
<your search> [ inputlookup mylookupname | fields myfieldname ]

http://www.splunk.com/base/Documentation/4.2.2/User/HowSubsearchesWork

Is there an operator similar to the SQL 'in' operator?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...