Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to put field values in a table to call in a search instead of using OR boolean directive?

edookati
Path Finder
‎07-30-2014 12:02 PM

I am currently using the below query...
index=a field1="ABC" | join id [Search index=a AND (field2="B" OR field2="C" field2="D"...)]

But I have 85 distinct values for field2..., so instead of providing too many logical/OR expressions is there a way I can put all these values A, B, C, D ....& Z in a table and write something like...search if field2 is in the table...?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎07-30-2014 01:00 PM

Try something like this

index=a field1="ABC" 
| join id [Search index=a [Search index=a | stats count by field2 | return field2]]

The innermost subsearch "[Search index=a | stats count by field2 | return field2]" will return 'OR' separate values to field2 to be used for subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...