Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I programatically generate list of "OR" terms in a search?

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 06:54 PM

I am trying to figure out some method of using something like a scripted lookup to programmatically generate a set of "OR" terms in a search. This would be roughly analogous to an SQL "IN" clause.

As a concrete example, I would like to be able to tie in data from one of our operations support systems. I can create a scripted input to return from there a set of hosts that match certain criteria (say, "is production and Debian"). I've been able to make this work using a pattern similar to:

blah blah blah | join host [ inputlookup production_and_debian ]

This works in some cases, but the problems with join (both from a result-size aspect and a performance aspect) make this difficult to apply in a general sense.

Ideally, I'd like to be able to do something like:

blah blah blah host IN ( [ inputlookup production_and_debian ] )

but I know that IN / NOT IN is not supported in the current search language.

I guess I could create a series of search macros that expand out to the form of

AND ( host="mike" OR host="jeff" OR host="bob")

but was hoping for something that could be done more dynamically and would have less maintenance effort.

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 11:05 PM

That is a most excellent blog post. But, yeah, format does seem to bake things basically like I needed them. In fact, I think I may not have understood subsearches well enough to begin with, because a simple [inputlookup mylookup] seems to do well enough. Thanks!

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top