Change textbook to search on multiple values?

POR160893 · ‎05-29-2023

Hi,

I have the following search that searches an index based on 2 textbook inputs:

| inputlookup ABC
| search src=$src_tok$ OR dest=$dest_tok$

I need to change this such that multiple src's or multiple dest's are inputted at a given time by a user.

Something like the following if dest="10.175.96.146 10.175.96.147 10.175.96.148 0.175.96.149 10.175.96.150 10.175.96.183":

| inputlookup ABC
| search src=* OR (dest=10.175.96.146 AND dest=10.175.96.147 AND dest= 10.175.96.148 AND dest=10.175.96.149 AND dest=10.175.96.150 AND dest=10.175.96.183)

How can I change my current search to search on multiple inputted values?

Thanks as always 🙂

isoutamo · ‎05-29-2023

Hi

maybe this helps you

| inputlookup ABC
| search src=* OR [
   | makeresults 
   | eval dest="10.175.96.146 10.175.96.147 10.175.96.148 10.175.96.149 10.175.96.150 10.175.96.183" 
   | eval dest=split(dest," ") 
   | fields dest 
   | format mvsep="AND"]

r. Ismo

Change textbook to search on multiple values?

fields

stats

subsearch

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Change textbook to search on multiple values?

fields

stats

subsearch

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant