Solved: How can I use the IN operator after tstats to see ...

russell120k · ‎09-17-2021

Hi, I want to change this first (sanitized) query to use a data model instead but I'm unsure how to incorporate "[field] IN ([comma separated list])".

search index=my_index _raw IN ("*test*" ,"*sale*", "*customer*", "*item*" , "*code*")
|transaction src maxspan=1h
|table _time src url

This is my latest failed attempt:

|tstats values(Web.url) as urls FROM datamodel=Web by Web.src
|search urls IN("*test*" ,"*sale*", "*customer*", "*item*" , "*code*")
|table *

In the 2nd query, how can I use the IN operator after tstats to see if any one of strings in a list (the wildcards are required) exists in a field?

richgalloway · ‎09-17-2021

Have you tried WHERE field IN (values)?

|tstats values(Web.url) as urls FROM datamodel=Web where Web.url IN ("*test*" ,"*sale*", "*customer*", "*item*" , "*code*") by Web.src
|table *

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-17-2021

Have you tried WHERE field IN (values)?

|tstats values(Web.url) as urls FROM datamodel=Web where Web.url IN ("*test*" ,"*sale*", "*customer*", "*item*" , "*code*") by Web.src
|table *

---
If this reply helps you, Karma would be appreciated.

russell120k · ‎09-19-2021

This worked perfectly, thank you.

How can I use the IN operator after tstats to see if a list of strings exists in a field?

transaction

tstats

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?