Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing multivalue field with single value field...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was looking for a way to input multiple text inputs on a dashboard and searching the inputs against a single value field, and I have concluded that splunk has no other way to handle multi text input with the exception of created an inputlookup table or creating a multivalue input and using makemv and mvexpand. (correct me if i am wrong). And i do not want to create a inputlookup table
Problem now is how would i compare the values in the multivalue field and a single value field
Below is my spl:
mysearch [stats count| eval my_mv="$IPs$"|makemv my_mv delim="," | mvexpand my_mv ]
basically i have an input of multiple IPs(my_mv) and i want to search these IPs against an existing srcip field and return the events associated with the matched srcip.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A multiselect input field can produce an output token value that looks like...
( ( field1="value1" ) OR ( field1="value2" ) OR ( field1="value3" ) ... )
You do that by setting the input's <valueprefix> and <valuesuffix> and <delimiter> tags.
See this for more info https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/PanelreferenceforSimplifiedXML
You can create a similar effect in code, by putting the code inside the brackets of a subsearch, using the format command with parameters as desired, and then optionally using a rex mode=sed field=search "s/some thing/some other thing/g" command to customize some thing into some other thing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A multiselect input field can produce an output token value that looks like...
( ( field1="value1" ) OR ( field1="value2" ) OR ( field1="value3" ) ... )
You do that by setting the input's <valueprefix> and <valuesuffix> and <delimiter> tags.
See this for more info https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/PanelreferenceforSimplifiedXML
You can create a similar effect in code, by putting the code inside the brackets of a subsearch, using the format command with parameters as desired, and then optionally using a rex mode=sed field=search "s/some thing/some other thing/g" command to customize some thing into some other thing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using Splunk 6.6 OR above, you get an IN operator in your search command using which you can search multiple values. I belive something like this would work (for comma separated list of IPs)
mysearch src_ip IN ($IPs$)
See this for more details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2, i am aware of the IN operator for 6.6 and beyond, unfortunately, we would not be upgrading the Splunk platform anytime soon 😞
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
