Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use IN function with VALUE-LIST as a search or lookup

koshyk
Super Champion
‎03-01-2019 03:30 AM

hi,
We have a SPL which emits hostname as a single value, but this needs to be checked against a valid list of hostnames on every line. The list is "colon separated"

So ideally, we need to check if 

server01
server02

is present in 

List1,server101:server102:server103
List2,server04:server02:server05

So in above example, the List2 and server02 should have a match. Please note, the List is a search itself.
Ideally looking for something like

| where IN (servername, [|search myListSearch| fields serverlist|split(serverlist,":")])

Any way to do this using IN operator? ideally i wanted to check if server01 or server02 is present IN the lists in an efficient and short way (rather than splitting the list and comparing). Ideally a "grep -w" should be sufficient

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎03-09-2019 07:19 PM

You could probably accomplish this with a "normal" subsearch, but I think this works if you want to use the IN function. I'm just reformatting your server list so it looks like "server01","server02", xxx since that's what the function expects.

   | where IN (servername, [
           |search myListSearch
           | fields serverlist
           |eval serverlist = "\"" . replace(serverlist,":","\",\"") . "\""
           | return serverlist 
          ]
      )

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2019 08:07 PM

Like this:

...  | where [search myListSearch
             | fields serverlist
             | makemv delim=":" serverlist
             | mvexpand serverlist
             | rename serverlist AS servername]
Reply
Solved! Jump to solution
Solution

maciep
Champion
‎03-09-2019 07:19 PM

You could probably accomplish this with a "normal" subsearch, but I think this works if you want to use the IN function. I'm just reformatting your server list so it looks like "server01","server02", xxx since that's what the function expects.

   | where IN (servername, [
           |search myListSearch
           | fields serverlist
           |eval serverlist = "\"" . replace(serverlist,":","\",\"") . "\""
           | return serverlist 
          ]
      )
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...