Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use IN function with KV tuple lists as a search...

alancalvitti
Path Finder
‎12-16-2020 01:21 PM

This question: How to use IN function with VALUE-LIST as a search or lookup  discusses using IN for a single key and list of values.

Can that approach be generalized for lists of  KV lists?  Want to abstract what could be done in a verbose way with  AND and OR's :

(keyA=value1 AND keyB=value2) OR (keyA=value3 AND keyB=value4) OR (keyA=value5 AND keyB=value6)...

 

 

 

 

 

Labels (3)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-17-2020 05:40 AM

 

| makeresults count=10
| streamstats count
| eval key="value".count
| streamstats list(key) as keys window=2
| where count % 2 = 0
| eval keyA=mvindex(keys,0), keyB=mvindex(keys,1)
| table keyA keyB
| format

 

How about subsearch with format?

0 Karma
Reply

alancalvitti
Path Finder
‎12-17-2020 07:11 AM

That's clever - your method takes lists and generates the expanded AND/OR expression. - However, I was hoping to avoid that since it seems slow for long lists.

Wouldn't search be significantly faster to convert to a form that uses IN operator?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...