Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate values for IN search

makelovenotwar
Path Finder
‎08-31-2023 01:08 PM

How do I use a search to generate values to use inside of an IN search? For example:

 

 

index=syslog src_ip IN ( | tstats count from datamodel=Random by ips | stats values(ips) as IP | eval IP = mvjoin(IP, ",")

 

 

I tried the method above but it's not working. Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-31-2023 11:57 PM

What @richgalloway is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets  - but you could do it like this - but you wouldn't really want to...

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
``` You could technically do this, but it's not necessary
    | eval IP = mvjoin(IP, ",")```
``` Use this return $ statement to return a space separated string 
    but you could technically use the mvjoin and have a comma separated one```
    | return $IP
  ]
)

 

View solution in original post

Reply
Solved! Jump to solution

makelovenotwar
Path Finder
‎09-01-2023 02:53 AM

Thank you @richgalloway and @bowesmana  - I'd accept both as the solution if I could as I learned about the return and format commands from you both. I accepted return as the solution since I wanted to use the IN search, and couldn't format the format command to remove the column names from the generated string. Not sure this is right, but I ended up having to use an eval command to append quotesa and commas to my values, prior to the return statement. In the end, it was something like... 

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
    | eval IP = "\"".IP."\","
    | return $IP
  ]
)

 Thanks again!

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-31-2023 11:57 PM

What @richgalloway is correct, but technically it's possible to format the return value so it can be used in the IN statement - your problem is that you are not crafting a subsearch - you're missing the [] subsearch brackets  - but you could do it like this - but you wouldn't really want to...

index=syslog src_ip IN ( 
  [ 
    | tstats count from datamodel=Random by ips 
    | stats values(ips) as IP 
``` You could technically do this, but it's not necessary
    | eval IP = mvjoin(IP, ",")```
``` Use this return $ statement to return a space separated string 
    but you could technically use the mvjoin and have a comma separated one```
    | return $IP
  ]
)

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2023 01:21 PM

Don't bother.  IN optimizes to a series of ORs so just start with that.

index=syslog [ | tstats count from datamodel=Random by ips | rename ips as src_ip | fields src_ip | format ]

The subsearch will run first and use the format command to produce a string like "(src_ip=1.2.3.4 OR src_ip=2.3.4.5)" which will become part of the main search.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...