Splunk Search

How can I pass dynamic values to the IN operator?

yk010123
Path Finder

 

I tried this : 

.... myField IN (
[search ..| table myField])

Where the values passed to the IN operator will be calculate dynamically from another search 

But that returns 

Unable to parse the search: Right hand side of IN must be a collection of literals. '((myField = "123") OR (myField = "1234") 

How can I do this?

Labels (3)

VatsalJagani
SplunkTrust
SplunkTrust

Or you can simplify to this in most cases:

<your-search> [search <the search you wish to write> | table myField]

- As far as field name myField is common in both searches.

- Splunk will automatically add the IN operator.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@VatsalJagani wrote:

- Splunk will automatically add the IN operator.


Not exactly.  Splunk will automatically convert the subsearch into a series of OR clauses, which is the same thing it does with the IN operator.

---
If this reply helps you, Karma would be appreciated.

VatsalJagani
SplunkTrust
SplunkTrust

Yeah, that is correct both will be converted to OR operators but those are one or the same thing. So to avoid confusion I generally say IN operator.

But thanks for clarification.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Subsearches aren't designed to work with the IN operator since IN is relatively new.  We can make it work, however.  Try this

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" 
```Remove "myField=" from the formatted string```
| eval search=replace(search, "myField =", "")
]
---
If this reply helps you, Karma would be appreciated.

lmonahan
Path Finder

Incredible answer!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This can be slightly simplified by renaming myField to query in the subsearch because the format command treats this as a special case and doesn't include the "query=" in the formatted string

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
``` rename field to query
| rename myField as query
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" ]
)

lmonahan
Path Finder

Another incredible answer!  These helped me a lot!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...