Solved: Separate multiple splunk values with an OR clause?

MM0071 · ‎10-25-2022

I have a text box in a splunk dashboard and I'm trying to find out how I can separate values entered into the text box that are separated by commas with a OR clause. for example:

values entered into text box: 102.99.99, 103.99.93, 203.23.21

Where this search (index=abc sourcetype=abc src_ip="$ip$") would translate to:

index=abc sourcetype=abc src_ip="102.99.99 OR 103.99.93 OR 203.23.21"

Any suggestions?

johnhuang · ‎10-25-2022

Your best bet for this scenarios is to use "IN" which allows you to search for a comma delimited list of values.

For this to work, the input needs to be comma delimited, does not support "OR".

E.g. your input: 102.99.99, 103.99.93, 203.23.21

Change this: 
index=abc sourcetype=abc src_ip="$ip$"

To this: 
index=abc sourcetype=abc src_ip IN ($ip$)

View solution in original post

johnhuang · ‎10-25-2022

Your best bet for this scenarios is to use "IN" which allows you to search for a comma delimited list of values.

For this to work, the input needs to be comma delimited, does not support "OR".

E.g. your input: 102.99.99, 103.99.93, 203.23.21

Change this: 
index=abc sourcetype=abc src_ip="$ip$"

To this: 
index=abc sourcetype=abc src_ip IN ($ip$)

MM0071 · ‎10-25-2022

This was perfect. Thank you. Not sure why I didn't think about this.

gcusello · ‎10-25-2022

Hi @MM0071,

did you tried with replace command (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Replace)?

| replace "," WITH " OR" IN <your_field>

Ciao.

Giuseppe

MM0071 · ‎10-25-2022

I have not. I'm very green with Splunk. How would the syntax for this work?

Separate multiple splunk values with an OR clause?

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?