Splunk Search

How do you use the IN function with a free text search?

toryan
Engager

I would like to search the entire record for a list of text strings using the IN function.

At the moment, I have a search that looks a bit like

 (a OR b OR c) AND message_type=foo

which finds za, zb, zc etc. in the field video_type

I would rather use something like

 video_type IN (a, b, c) AND message_type=foo

or

 _raw IN (a, b, c) AND message_type=foo

Because I want to use the search in a dashboard and have users paste a, b, and c in an input.

But free text search doesn't work if you specify a field to search in — it only seems to find exact matches.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Isn't this just a case where you could use wildcards like a*, b*, c*?

0 Karma

lakshman239
Influencer

As the search is used in dashboard, the user inputs can be collected in a token and run against search. Do you see any issues with that? you don't need to use IN
your base search message_type=foo| search (video_type=$tokenA$ OR video_type=$tokenB$)

0 Karma

toryan
Engager

I want users to be able to input any number of values, separated by commas, in an input. So using $a OR $b etc will not work.

0 Karma

Vijeta
Influencer

@toryan IN will look for exact value and not a substring. Probably you can use match function instead.

0 Karma

toryan
Engager

@Vijeta how would that work? Can you provide an example?

0 Karma

toryan
Engager

This still doesn't allow users to enter the search terms in an input field.

0 Karma

Vijeta
Influencer

Try
match(video_type, “a|b|c|d”)

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...