Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter multiple values with pivot command - is the 'in' operator broken?

wcooper003
Communicator
‎06-15-2017 01:18 PM

Based on the Splunk pivot command documentation, one should be able to use:

| pivot .....
   splitrow fieldname
   filter fieldname in ("some text1", "some text2")

However, this doesn't work for me - it only returns the first value in the list, not both of them. Even if I remove the quotes from the strings which seems like it works ok, it still just return the first value. However, this works:

| pivot .....
   splitrow fieldname
   filter fieldname contains some

This isn't ideal because it returns a lot of stuff I don't want. So the question is how do I do a simple OR logical to filter on multiple values with the pivot command?

Does the pivot command have a bug where the 'in' comparison operator doesn't work?

Reply

valerie_tan
Path Finder
‎03-09-2018 09:47 PM

I finally found a working answer! I am using Splunk 7.0 and above.

This was what I did cause I couldn't find any working answer for passing multiselect tokens into Pivot FILTER command in the search query. (For a better understanding of how the SPL works)
Step 1: Make a pivot table and add a filter using "is in list", add it as a inline search report into a dashboard.
Step 2: Open the search query in Edit mode. TADA. you can see the cotde that they used.
Step 3: Breathe a huge sigh of relief. The answer is simpler than what has been given ...

Using the Multiselect token:
Set the following:
token prefix and suffix as ( and )
values prefix and suffix with "
delimiter with ,

("value1", "value2", value3"...) <- this is what u should see in their preview.

**In search query""

Simply type
FILTER XXX in $xxx_token|s$
Note that the token escape is the life saver. the values originally r kinda messed up.

Please let me know if it works for you guys.

0 Karma
Reply

DalJeanis
Legend
‎06-15-2017 08:34 PM

what version of splunk are you on? I believe "in" is brand new.

For older versions, try.... 

 (fieldname ="some text1" OR fieldname ="some text2")
0 Karma
Reply

wcooper003
Communicator
‎06-16-2017 05:59 AM

Thanks for the response. Using 6.5.2 soon to be on 6.6.1.

I tried that as:

| pivot .....
    splitrow fieldname
    filter (fieldname ="some text1" OR fieldname="some text2")

But that didn't execute.

0 Karma
Reply

DalJeanis
Legend
‎06-17-2017 11:25 AM

Interesting... no, 6.5 should be fine for in.

Documentation for FILTER is kind of bizarre. The = operator doesn't work with strings, you have to use is?

Okay, I added the bug tag, because this is apparently a bug, but here's a couple more shots in the dark for potential workarounds. If either one works, it will be a minor miracle.

A) try using FILTER and IN in all caps. The doc shows it in lower case, but what the heck.

B) try filter fieldname is "some text" OR fieldname is "some text2" .

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top