Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate values for IN search

makelovenotwar
Path Finder
‎08-31-2023 01:08 PM

How do I use a search to generate values to use inside of an IN search? For example:

 

 

index=syslog src_ip IN ( | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = mvjoin(IP, ",")

 

 

I tried the method above but it's not working. Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-31-2023 11:57 PM

What @richgalloway is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets  - but you could do it like this - but you wouldn't really want to...

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
``` You could technically do this, but it's not necessary
    | eval IP = mvjoin(IP, ",")```
``` Use this return $ statement to return a space separated string 
    but you could technically use the mvjoin and have a comma separated one```
    | return $IP
  ]
)

 

View solution in original post

Reply
Solved! Jump to solution

makelovenotwar
Path Finder
‎09-01-2023 02:53 AM

Thank you @richgalloway and @bowesmana  - I'd accept both as the solution if I could as I learned about the return and format commands from you both. I accepted return as the solution since I wanted to use the IN search, and couldn't format the format command to remove the column names from the generated string. Not sure this is right, but I ended up having to use an eval command to append quotesa and commas to my values, prior to the return statement. In the end, it was something like... 

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
    | eval IP = "\"".IP."\","
    | return $IP
  ]
)

 Thanks again!

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-31-2023 11:57 PM

What @richgalloway is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets  - but you could do it like this - but you wouldn't really want to...

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
``` You could technically do this, but it's not necessary
    | eval IP = mvjoin(IP, ",")```
``` Use this return $ statement to return a space separated string 
    but you could technically use the mvjoin and have a comma separated one```
    | return $IP
  ]
)

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:21 PM

Don't bother.  IN optimizes to a series of ORs so just start with that.

index=syslog [ | tstats count from datamodel=Random by ips | rename ips as src_ip | fields src_ip | format ]

The subsearch will run first and use the format command to produce a string like "(src_ip=1.2.3.4 OR src_ip=2.3.4.5)" which will become part of the main search.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...