Re: How do you use the IN function with a free tex...

toryan · ‎02-27-2019

I would like to search the entire record for a list of text strings using the IN function.

At the moment, I have a search that looks a bit like

 (a OR b OR c) AND message_type=foo

which finds za, zb, zc etc. in the field video_type

I would rather use something like

 video_type IN (a, b, c) AND message_type=foo

or

 _raw IN (a, b, c) AND message_type=foo

Because I want to use the search in a dashboard and have users paste a, b, and c in an input.

But free text search doesn't work if you specify a field to search in — it only seems to find exact matches.

gjanders · ‎03-01-2019

Isn't this just a case where you could use wildcards like a*, b*, c*?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

lakshman239 · ‎02-27-2019

As the search is used in dashboard, the user inputs can be collected in a token and run against search. Do you see any issues with that? you don't need to use IN
your base search message_type=foo| search (video_type=$tokenA$ OR video_type=$tokenB$)

toryan · ‎03-01-2019

I want users to be able to input any number of values, separated by commas, in an input. So using $a OR $b etc will not work.

Vijeta · ‎02-27-2019

@toryan IN will look for exact value and not a substring. Probably you can use match function instead.

toryan · ‎03-01-2019

@Vijeta how would that work? Can you provide an example?

toryan · ‎03-04-2019

This still doesn't allow users to enter the search terms in an input field.

Vijeta · ‎03-02-2019

Try
match(video_type, “a|b|c|d”)

How do you use the IN function with a free text search?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?