Splunk Search
Highlighted

How do you use the IN function with a free text search?

Engager

I would like to search the entire record for a list of text strings using the IN function.

At the moment, I have a search that looks a bit like

 (a OR b OR c) AND message_type=foo

which finds za, zb, zc etc. in the field video_type

I would rather use something like

 video_type IN (a, b, c) AND message_type=foo

or

 _raw IN (a, b, c) AND message_type=foo

Because I want to use the search in a dashboard and have users paste a, b, and c in an input.

But free text search doesn't work if you specify a field to search in — it only seems to find exact matches.

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

Influencer

@toryan IN will look for exact value and not a substring. Probably you can use match function instead.

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

Engager

@Vijeta how would that work? Can you provide an example?

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

Influencer

Try
match(video_type, “a|b|c|d”)

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

Engager

This still doesn't allow users to enter the search terms in an input field.

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

SplunkTrust
SplunkTrust

As the search is used in dashboard, the user inputs can be collected in a token and run against search. Do you see any issues with that? you don't need to use IN
your base search messagetype=foo| search (videotype=$tokenA$ OR video_type=$tokenB$)

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

Engager

I want users to be able to input any number of values, separated by commas, in an input. So using $a OR $b etc will not work.

0 Karma
Highlighted

Re: How do you use the IN function with a free text search?

SplunkTrust
SplunkTrust

Isn't this just a case where you could use wildcards like a, b, c*?

0 Karma