Splunk Search

Is it possible to use IN against a field that contains comma-separated values?

pm771
Path Finder

Is it possible to "expand" a single variable with comma-separated values into a "list" and then use it inside IN condition?

For example, I have a field "days-off" and want to filter events when "days-off" include "Sat"

So I would want something like

Search "Sat" IN (days-off)

May be with mvexpand?

Or should I just use matchor like against a string with regular expression (if required)?

0 Karma
1 Solution

to4kawa
SplunkTrust
SplunkTrust

No, it isn't.

use | where match(days-off,"Sat")

like() needs SQL-like %. match() is better.

View solution in original post

to4kawa
SplunkTrust
SplunkTrust

No, it isn't.

use | where match(days-off,"Sat")

like() needs SQL-like %. match() is better.

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!