Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate values for IN search

makelovenotwar
Path Finder
‎08-31-2023 01:08 PM

How do I use a search to generate values to use inside of an IN search? For example:

 

 

index=syslog src_ip IN ( | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = mvjoin(IP, ",")

 

 

I tried the method above but it's not working. Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-31-2023 11:57 PM

What @richgalloway is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets  - but you could do it like this - but you wouldn't really want to...

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
``` You could technically do this, but it's not necessary
    | eval IP = mvjoin(IP, ",")```
``` Use this return $ statement to return a space separated string 
    but you could technically use the mvjoin and have a comma separated one```
    | return $IP
  ]
)

 

View solution in original post

Reply
Solved! Jump to solution

makelovenotwar
Path Finder
‎09-01-2023 02:53 AM

Thank you @richgalloway and @bowesmana  - I'd accept both as the solution if I could as I learned about the return and format commands from you both. I accepted return as the solution since I wanted to use the IN search, and couldn't format the format command to remove the column names from the generated string. Not sure this is right, but I ended up having to use an eval command to append quotesa and commas to my values, prior to the return statement. In the end, it was something like... 

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
    | eval IP = "\"".IP."\","
    | return $IP
  ]
)

 Thanks again!

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-31-2023 11:57 PM

What @richgalloway is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets  - but you could do it like this - but you wouldn't really want to...

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
``` You could technically do this, but it's not necessary
    | eval IP = mvjoin(IP, ",")```
``` Use this return $ statement to return a space separated string 
    but you could technically use the mvjoin and have a comma separated one```
    | return $IP
  ]
)

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:21 PM

Don't bother.  IN optimizes to a series of ORs so just start with that.

index=syslog [ | tstats count from datamodel=Random by ips | rename ips as src_ip | fields src_ip | format ]

The subsearch will run first and use the format command to produce a string like "(src_ip=1.2.3.4 OR src_ip=2.3.4.5)" which will become part of the main search.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...