Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change textbook to search on multiple values?

POR160893
Builder
‎05-29-2023 05:55 AM

Hi,

I have the following search that searches an index based on 2 textbook inputs:

| inputlookup ABC
| search src=$src_tok$ OR dest=$dest_tok$



I need to change this such that multiple src's or multiple dest's are inputted at a given time by a user.

Something like the following if dest="10.175.96.146 10.175.96.147 10.175.96.148 0.175.96.149 10.175.96.150 10.175.96.183":

| inputlookup ABC
| search src=* OR (dest=10.175.96.146 AND dest=10.175.96.147 AND dest= 10.175.96.148 AND dest=10.175.96.149 AND dest=10.175.96.150 AND dest=10.175.96.183)



How can I change my current search to search on multiple inputted values?


Thanks as always 🙂

Labels (3)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-29-2023 06:30 AM

Hi

maybe this helps you

| inputlookup ABC
| search src=* OR [
   | makeresults 
   | eval dest="10.175.96.146 10.175.96.147 10.175.96.148 10.175.96.149 10.175.96.150 10.175.96.183" 
   | eval dest=split(dest," ") 
   | fields dest 
   | format mvsep="AND"]

r. Ismo 

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...