Change textbook to search on multiple values?

POR160893 · ‎05-29-2023

Hi,

I have the following search that searches an index based on 2 textbook inputs:

| inputlookup ABC
| search src=$src_tok$ OR dest=$dest_tok$

I need to change this such that multiple src's or multiple dest's are inputted at a given time by a user.

Something like the following if dest="10.175.96.146 10.175.96.147 10.175.96.148 0.175.96.149 10.175.96.150 10.175.96.183":

| inputlookup ABC
| search src=* OR (dest=10.175.96.146 AND dest=10.175.96.147 AND dest= 10.175.96.148 AND dest=10.175.96.149 AND dest=10.175.96.150 AND dest=10.175.96.183)

How can I change my current search to search on multiple inputted values?

Thanks as always 🙂

isoutamo · ‎05-29-2023

Hi

maybe this helps you

| inputlookup ABC
| search src=* OR [
   | makeresults 
   | eval dest="10.175.96.146 10.175.96.147 10.175.96.148 10.175.96.149 10.175.96.150 10.175.96.183" 
   | eval dest=split(dest," ") 
   | fields dest 
   | format mvsep="AND"]

r. Ismo

Change textbook to search on multiple values?

fields

stats

subsearch

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Are you a member of the Splunk Community?

Change textbook to search on multiple values?

fields

stats

subsearch

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform