Splunk Search

How can I programatically generate list of "OR" terms in a search?

dwaddle
SplunkTrust
SplunkTrust

I am trying to figure out some method of using something like a scripted lookup to programmatically generate a set of "OR" terms in a search. This would be roughly analogous to an SQL "IN" clause.

As a concrete example, I would like to be able to tie in data from one of our operations support systems. I can create a scripted input to return from there a set of hosts that match certain criteria (say, "is production and Debian"). I've been able to make this work using a pattern similar to:

blah blah blah | join host [ inputlookup production_and_debian ]

This works in some cases, but the problems with join (both from a result-size aspect and a performance aspect) make this difficult to apply in a general sense.

Ideally, I'd like to be able to do something like:

blah blah blah host IN ( [ inputlookup production_and_debian ] ) 

but I know that IN / NOT IN is not supported in the current search language.

I guess I could create a series of search macros that expand out to the form of

AND ( host="mike" OR host="jeff" OR host="bob")

but was hoping for something that could be done more dynamically and would have less maintenance effort.

1 Solution

araitz
Splunk Employee
Splunk Employee

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

View solution in original post

araitz
Splunk Employee
Splunk Employee

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

dwaddle
SplunkTrust
SplunkTrust

That is a most excellent blog post. But, yeah, format does seem to bake things basically like I needed them. In fact, I think I may not have understood subsearches well enough to begin with, because a simple [inputlookup mylookup] seems to do well enough. Thanks!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...