Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I pass dynamic values to the IN operator?

yk010123
Path Finder
‎02-14-2022 01:00 PM

 

I tried this : 

.... myField IN (
[search ..| table myField])

Where the values passed to the IN operator will be calculate dynamically from another search 

But that returns 

Unable to parse the search: Right hand side of IN must be a collection of literals. '((myField = "123") OR (myField = "1234") 

How can I do this?

Labels (3)
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-15-2022 10:16 PM

Or you can simplify to this in most cases:

<your-search> [search <the search you wish to write> | table myField]

- As far as field name myField is common in both searches.

- Splunk will automatically add the IN operator.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-16-2022 04:54 AM
@VatsalJagani wrote:

- Splunk will automatically add the IN operator.

Not exactly.  Splunk will automatically convert the subsearch into a series of OR clauses, which is the same thing it does with the IN operator.

---
If this reply helps you, Karma would be appreciated.
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-16-2022 08:11 AM

Yeah, that is correct both will be converted to OR operators but those are one or the same thing. So to avoid confusion I generally say IN operator.

But thanks for clarification.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-14-2022 05:27 PM

Subsearches aren't designed to work with the IN operator since IN is relatively new.  We can make it work, however.  Try this

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" 
```Remove "myField=" from the formatted string```
| eval search=replace(search, "myField =", "")
]
---
If this reply helps you, Karma would be appreciated.
Reply

lmonahan
Path Finder
‎11-04-2023 05:50 AM

Incredible answer!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-14-2022 11:09 PM

This can be slightly simplified by renaming myField to query in the subsearch because the format command treats this as a special case and doesn't include the "query=" in the formatted string

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
``` rename field to query
| rename myField as query
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" ]
)
Reply

lmonahan
Path Finder
‎11-04-2023 05:50 AM

Another incredible answer!  These helped me a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...