Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I pass dynamic values to the IN operator?

yk010123
Path Finder
‎02-14-2022 01:00 PM

 

I tried this : 

.... myField IN (
[search ..| table myField])

Where the values passed to the IN operator will be calculate dynamically from another search 

But that returns 

Unable to parse the search: Right hand side of IN must be a collection of literals. '((myField = "123") OR (myField = "1234") 

How can I do this?

Labels (3)
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-15-2022 10:16 PM

Or you can simplify to this in most cases:

<your-search> [search <the search you wish to write> | table myField]

- As far as field name myField is common in both searches.

- Splunk will automatically add the IN operator.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-16-2022 04:54 AM
@VatsalJagani wrote:

- Splunk will automatically add the IN operator.

Not exactly.  Splunk will automatically convert the subsearch into a series of OR clauses, which is the same thing it does with the IN operator.

---
If this reply helps you, Karma would be appreciated.
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-16-2022 08:11 AM

Yeah, that is correct both will be converted to OR operators but those are one or the same thing. So to avoid confusion I generally say IN operator.

But thanks for clarification.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-14-2022 05:27 PM

Subsearches aren't designed to work with the IN operator since IN is relatively new.  We can make it work, however.  Try this

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" 
```Remove "myField=" from the formatted string```
| eval search=replace(search, "myField =", "")
]
---
If this reply helps you, Karma would be appreciated.
Reply

lmonahan
Path Finder
‎11-04-2023 05:50 AM

Incredible answer!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-14-2022 11:09 PM

This can be slightly simplified by renaming myField to query in the subsearch because the format command treats this as a special case and doesn't include the "query=" in the formatted string

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
``` rename field to query
| rename myField as query
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" ]
)
Reply

lmonahan
Path Finder
‎11-04-2023 05:50 AM

Another incredible answer!  These helped me a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top