How to use IN function with KV tuple lists as a se...

alancalvitti · ‎12-16-2020

This question: How to use IN function with VALUE-LIST as a search or lookup discusses using IN for a single key and list of values.

Can that approach be generalized for lists of KV lists? Want to abstract what could be done in a verbose way with AND and OR's :

(keyA=value1 AND keyB=value2) OR (keyA=value3 AND keyB=value4) OR (keyA=value5 AND keyB=value6)...

to4kawa · ‎12-17-2020

| makeresults count=10
| streamstats count
| eval key="value".count
| streamstats list(key) as keys window=2
| where count % 2 = 0
| eval keyA=mvindex(keys,0), keyB=mvindex(keys,1)
| table keyA keyB
| format

How about subsearch with format?

alancalvitti · ‎12-17-2020

That's clever - your method takes lists and generates the expanded AND/OR expression. - However, I was hoping to avoid that since it seems slow for long lists.

Wouldn't search be significantly faster to convert to a form that uses IN operator?

How to use IN function with KV tuple lists as a search...

field extraction

fields

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation