Splunk Search

How do you use the IN function with a free text search?

toryan
Engager

I would like to search the entire record for a list of text strings using the IN function.

At the moment, I have a search that looks a bit like

 (a OR b OR c) AND message_type=foo

which finds za, zb, zc etc. in the field video_type

I would rather use something like

 video_type IN (a, b, c) AND message_type=foo

or

 _raw IN (a, b, c) AND message_type=foo

Because I want to use the search in a dashboard and have users paste a, b, and c in an input.

But free text search doesn't work if you specify a field to search in — it only seems to find exact matches.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Isn't this just a case where you could use wildcards like a*, b*, c*?

0 Karma

lakshman239
Influencer

As the search is used in dashboard, the user inputs can be collected in a token and run against search. Do you see any issues with that? you don't need to use IN
your base search message_type=foo| search (video_type=$tokenA$ OR video_type=$tokenB$)

0 Karma

toryan
Engager

I want users to be able to input any number of values, separated by commas, in an input. So using $a OR $b etc will not work.

0 Karma

Vijeta
Influencer

@toryan IN will look for exact value and not a substring. Probably you can use match function instead.

0 Karma

toryan
Engager

@Vijeta how would that work? Can you provide an example?

0 Karma

toryan
Engager

This still doesn't allow users to enter the search terms in an input field.

0 Karma

Vijeta
Influencer

Try
match(video_type, “a|b|c|d”)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...