Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you use the IN function with a free tex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you use the IN function with a free text search?
I would like to search the entire record for a list of text strings using the IN function.
At the moment, I have a search that looks a bit like
(a OR b OR c) AND message_type=foo
which finds za, zb, zc etc. in the field video_type
I would rather use something like
video_type IN (a, b, c) AND message_type=foo
or
_raw IN (a, b, c) AND message_type=foo
Because I want to use the search in a dashboard and have users paste a, b, and c in an input.
But free text search doesn't work if you specify a field to search in — it only seems to find exact matches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isn't this just a case where you could use wildcards like a*, b*, c*?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the search is used in dashboard, the user inputs can be collected in a token and run against search. Do you see any issues with that? you don't need to use IN
your base search message_type=foo| search (video_type=$tokenA$ OR video_type=$tokenB$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want users to be able to input any number of values, separated by commas, in an input. So using $a OR $b etc will not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@toryan IN will look for exact value and not a substring. Probably you can use match function instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Vijeta how would that work? Can you provide an example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This still doesn't allow users to enter the search terms in an input field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
match(video_type, “a|b|c|d”)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
