Splunk Search

Is it possible to use IN against a field that contains comma-separated values?

pm771
Communicator

Is it possible to "expand" a single variable with comma-separated values into a "list" and then use it inside IN condition?

For example, I have a field "days-off" and want to filter events when "days-off" include "Sat"

So I would want something like

Search "Sat" IN (days-off)

May be with mvexpand?

Or should I just use matchor like against a string with regular expression (if required)?

0 Karma
1 Solution

to4kawa
Ultra Champion

No, it isn't.

use | where match(days-off,"Sat")

like() needs SQL-like %. match() is better.

View solution in original post

to4kawa
Ultra Champion

No, it isn't.

use | where match(days-off,"Sat")

like() needs SQL-like %. match() is better.

Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...