Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I programatically generate list of "OR" terms in a search?

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 06:54 PM

I am trying to figure out some method of using something like a scripted lookup to programmatically generate a set of "OR" terms in a search. This would be roughly analogous to an SQL "IN" clause.

As a concrete example, I would like to be able to tie in data from one of our operations support systems. I can create a scripted input to return from there a set of hosts that match certain criteria (say, "is production and Debian"). I've been able to make this work using a pattern similar to:

blah blah blah | join host [ inputlookup production_and_debian ]

This works in some cases, but the problems with join (both from a result-size aspect and a performance aspect) make this difficult to apply in a general sense.

Ideally, I'd like to be able to do something like:

blah blah blah host IN ( [ inputlookup production_and_debian ] )

but I know that IN / NOT IN is not supported in the current search language.

I guess I could create a series of search macros that expand out to the form of

AND ( host="mike" OR host="jeff" OR host="bob")

but was hoping for something that could be done more dynamically and would have less maintenance effort.

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 11:05 PM

That is a most excellent blog post. But, yeah, format does seem to bake things basically like I needed them. In fact, I think I may not have understood subsearches well enough to begin with, because a simple [inputlookup mylookup] seems to do well enough. Thanks!

Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top