Splunk Search

How to put field values in a table to call in a search instead of using OR boolean directive?

edookati
Path Finder

I am currently using the below query...
index=a field1="ABC" | join id [Search index=a AND (field2="B" OR field2="C" field2="D"...)]

But I have 85 distinct values for field2..., so instead of providing too many logical/OR expressions is there a way I can put all these values A, B, C, D ....& Z in a table and write something like...search if field2 is in the table...?

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=a field1="ABC" 
| join id [Search index=a [Search index=a | stats count by field2 | return field2]]

The innermost subsearch "[Search index=a | stats count by field2 | return field2]" will return 'OR' separate values to field2 to be used for subsearch.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...