Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.

TheBravoSierra
Path Finder
‎01-28-2021 01:22 PM

I'm trying to look for senders where they don't contain values from the lookup mimics.csv. Examples of values in the lookup is:

*google.com*

*yahoo.com*

I've already set WILDCARD(sender) in the definition. 

Below is the search I'm trying to do:
index=test
| search sender IN [inputlookup mimics.csv]
| table _time,mid,src_ip,sender,subject,recipient

But I keep getting this error: 
Error in 'search' command: Unable to parse the search: Right hand side of IN must be a collection of literals.'(sender = "*google.com*")' is not a literal.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-28-2021 01:54 PM

So, my reply above should do that. If you run the | inputlookup command on its own as shown, you will see how that is affecting the search. It will give you something like

( ( sender="*google1*" ) OR ( sender="*2google*" ))

so, from your index=test example data, the 'google123.com' event sender would match that search.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-28-2021 01:36 PM

@TheBravoSierra 

The WILDCARD attribute of a lookup applies to the use of the lookup command, not the inputlookup command, so that's not relevant here.

The IN part of search is

sender IN (a,b,c,d,e)

and would not apply to wildcarded phrases like you are trying to do.

Simple way to do what you are doing is

index=test [ | inputlookup mimics.csv | fields sender ]
| table _time,mid,src_ip,sender,subject,recipient

although without knowing what you are trying to get from your lookup, I don't know if that will give you what you want.

Note that subsearches do not need an additional pipeline 'search' command, you can add them directly to the initial search as above.

 One way to see what the subsearch is passing to the outer search is to do this

| inputlookup mimics.csv | fields sender | format

and you will see the return value coming from the subsearch that will be used as part of the search.

 

Reply
Solved! Jump to solution

TheBravoSierra
Path Finder
‎01-28-2021 01:44 PM

Sorry, I forgot to mention what I am trying to get. Index=test has senders that are like 123google.com google123.com. So I want to see the results where sender in index=test contains wildcard phrases from the the sender field in the lookup table.

Does that make sense? For example...

 

Senders in indext=test:

123google.com 

google123.com

Wildcard sender phrases in lookup:

*google1* (would match
*2google* (would not match

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-28-2021 01:54 PM

So, my reply above should do that. If you run the | inputlookup command on its own as shown, you will see how that is affecting the search. It will give you something like

( ( sender="*google1*" ) OR ( sender="*2google*" ))

so, from your index=test example data, the 'google123.com' event sender would match that search.

 

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...