Re: How to use IN function with KV tuple lists as ...

alancalvitti · ‎12-16-2020

This question: How to use IN function with VALUE-LIST as a search or lookup discusses using IN for a single key and list of values.

Can that approach be generalized for lists of KV lists? Want to abstract what could be done in a verbose way with AND and OR's :

(keyA=value1 AND keyB=value2) OR (keyA=value3 AND keyB=value4) OR (keyA=value5 AND keyB=value6)...

to4kawa · ‎12-17-2020

| makeresults count=10
| streamstats count
| eval key="value".count
| streamstats list(key) as keys window=2
| where count % 2 = 0
| eval keyA=mvindex(keys,0), keyB=mvindex(keys,1)
| table keyA keyB
| format

How about subsearch with format?

alancalvitti · ‎12-17-2020

That's clever - your method takes lists and generates the expanded AND/OR expression. - However, I was hoping to avoid that since it seems slow for long lists.

Wouldn't search be significantly faster to convert to a form that uses IN operator?

How to use IN function with KV tuple lists as a search...

field extraction

fields

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation