- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I tried to search as below, with where in(VALUELIST) function as described in: http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/ConditionalFunctions
sourcetype=foo TradeEvent=NEW |where in( TradeID,"value1","value2") |fields TradeID
but I got error as title. could you advise?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 6.6.x introuduces IN clause similar to SQL. So if you are on 6.5.2 you won't have it.
https://docs.splunk.com/Documentation/Splunk/6.6.0/ReleaseNotes/MeetSplunk
New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.
6.5.2 Where operators: http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Where
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We can all celebrate v6.6.1:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures
Because this:
New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.
And this:
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions with other commands.
There is also an IN operator that is similar to the in(VALUE-LIST) function that you can use with the search and tstats commands.
The following syntax is supported:
...| where in(field,"value1","value2", ...)
...| where field in("value1","value2", ...)
...| eval new_field=in(field,"value1","value2", ...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 6.6.x introuduces IN clause similar to SQL. So if you are on 6.5.2 you won't have it.
https://docs.splunk.com/Documentation/Splunk/6.6.0/ReleaseNotes/MeetSplunk
New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.
6.5.2 Where operators: http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Where
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to make sure; are you running Splunk 6.6.0?
Because if you are on Splunk cloud (as tagged) the version is Splunk 6.5.1612
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using Splunk Enterprise 6.5.2.
The Splunk-Enterprise tag for some reason is not allowed to use, error: The following topics are not present in the system, and you don't have permissions to create new ones: splunk-enterprise
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@leonjxtan, in seems to be supported only in 6.6 onward...Following is the list of supported evaluation functions for 6.5.2
http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/CommonEvalFunctions
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh ic. thank you.
