Solved: Re: Can I use the "IN" command like this?

twjack · ‎07-10-2019

index=myIndex FieldA="A" AND LogonType IN (4,5,8,9,10,11,12)

The documentation says it is used with "eval" or "where" and returns only the value "true".

But it also seems to work as described above.

Now I'm unsure if this is "failsafe" as an initial search...

FrankVl · ‎07-10-2019

Not sure what documentation you are referring to, but yes, since Splunk v6.6.0 you can also use it like that. See the documentation for the search command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Multiple_field-value_comp...

FrankVl · ‎07-10-2019

Not sure what documentation you are referring to, but yes, since Splunk v6.6.0 you can also use it like that. See the documentation for the search command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Multiple_field-value_comp...

twjack · ‎07-10-2019

Holy crap, I actually looked in the wrong documentation. I must have been blind. Thank you.

Can I use the "IN" command like this?