Splunk Search

How can I pass dynamic values to the IN operator?

yk010123
Path Finder

 

I tried this : 

.... myField IN (
[search ..| table myField])

Where the values passed to the IN operator will be calculate dynamically from another search 

But that returns 

Unable to parse the search: Right hand side of IN must be a collection of literals. '((myField = "123") OR (myField = "1234") 

How can I do this?

Labels (3)

VatsalJagani
SplunkTrust
SplunkTrust

Or you can simplify to this in most cases:

<your-search> [search <the search you wish to write> | table myField]

- As far as field name myField is common in both searches.

- Splunk will automatically add the IN operator.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@VatsalJagani wrote:

- Splunk will automatically add the IN operator.


Not exactly.  Splunk will automatically convert the subsearch into a series of OR clauses, which is the same thing it does with the IN operator.

---
If this reply helps you, Karma would be appreciated.

VatsalJagani
SplunkTrust
SplunkTrust

Yeah, that is correct both will be converted to OR operators but those are one or the same thing. So to avoid confusion I generally say IN operator.

But thanks for clarification.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Subsearches aren't designed to work with the IN operator since IN is relatively new.  We can make it work, however.  Try this

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" 
```Remove "myField=" from the formatted string```
| eval search=replace(search, "myField =", "")
]
---
If this reply helps you, Karma would be appreciated.

lmonahan
Path Finder

Incredible answer!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This can be slightly simplified by renaming myField to query in the subsearch because the format command treats this as a special case and doesn't include the "query=" in the formatted string

... myField IN (
[ search ... 
```We only need one field```
| fields myField 
```Remove duplicate values```
| dedup myField 
``` rename field to query
| rename myField as query
```Format the results using no delimeters```
| format mvsep="" "" "" "" "" "" "" ]
)

lmonahan
Path Finder

Another incredible answer!  These helped me a lot!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...