Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can an IN clause in a SPL query have 277 values?

mihir_hardas
Explorer
‎07-21-2022 12:07 AM

How many values are allowed in an IN clause which is part of where clause? I want to read 277 values to be precise.


index=abc sourcetype="ccinfrap.dc_pqr_jws:app"
"[SubscriptionService] Consumer sent message"
"Not Predicted to Finish"
| rex mode=sed "s/^.*message {/{/"
| rex mode=sed "s/\n}.*/\n}/"
| spath
| fillnull jobStreamName value="BLANK"
| where jobStreamName IN(
"stream1"
,"stream2"
,"stream3"
.

.

,"stream277"
)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-21-2022 01:34 AM

I wouldn't be so sure about the performance of one vs. another. If you limit events at the initial stage, you get less results to process further down the pipeline. If you just do search * | lookup | where, Splunk has to do a lookup on every single event returned. (I know that Splunk can be clever and can sometimes optimize out some simple SPL constructions but I don't think it's this case).

EDIT: OK. I didn't read the original post thoroughly enough - OP himself did some trickery and got the "| where" part at the end. I still think this condition should be incorporated into the initial search (possibly by searching over the _raw data, withouth matching specific fields). It could save us some time especially since there's a relatively heavy spath further down the road.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-01-2022 11:37 PM

Hi @mihir_hardas ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-21-2022 01:29 AM

Hi @mihir_hardas ,

having so many values, why don't you think to use a lookup to contain the 277 values?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mihir_hardas
Explorer
‎08-01-2022 05:47 AM

The only reason to go for such a long IN clause is because I feel its faster than using lookup. The lookup is very very slow.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎07-21-2022 12:21 AM

It probably can but would it not be cleaner to use a lookup table instead?

So instead of

| where jobStreamName IN(
"stream1"
,"stream2"
,"stream3"
...
,"stream277"
)

 

You would do:

| lookup jobStreamLookup jobStreamName as jobStreamName OUTPUT jobStreamName AS match
| where isNotNull(match)

 

Your lookup file would be as simple as:

 

jobStreamName
-----------------------
stream1
stream2
stream3
...

 

Be careful with the case sensitivity though.

 

Regards,

Javier

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-21-2022 01:34 AM

I wouldn't be so sure about the performance of one vs. another. If you limit events at the initial stage, you get less results to process further down the pipeline. If you just do search * | lookup | where, Splunk has to do a lookup on every single event returned. (I know that Splunk can be clever and can sometimes optimize out some simple SPL constructions but I don't think it's this case).

EDIT: OK. I didn't read the original post thoroughly enough - OP himself did some trickery and got the "| where" part at the end. I still think this condition should be incorporated into the initial search (possibly by searching over the _raw data, withouth matching specific fields). It could save us some time especially since there's a relatively heavy spath further down the road.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...