Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunks equivalent to the SQL "IN" () function

marquiselee
Path Finder
‎02-26-2013 12:40 PM

I'm trying to create a search form that can take a comma separated list. In sql I would use the 'IN' command.

If the form allowed for a comma separated list like "Honda,Chevorlet,FORD,TOYOTA"
I guess the search would look similar to this.

search index=Cars CAR_MAKE IN ($CAR_MAKE$)|table CAR_MAKE CAR_MODEL

Any Ideas?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-26-2013 01:24 PM

You could use this subquery in the main search:

index=Cars [| gentimes start=-1 increment=1d | eval CAR_MAKE = "foo,bar,baz" | makemv CAR_MAKE delim="," | mvexpand CAR_MAKE | return 100 CAR_MAKE]

The subsearch yields this as a filter for the main search:

(CAR_MAKE="foo") OR (CAR_MAKE="bar") OR (CAR_MAKE="baz")

Just replace the fixed string with the appropriate $value$.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-04-2017 08:09 AM

We can all celebrate v6.6.1:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures

Because this:
New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.

So this:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions#in.28VAL...

And this:
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions with other commands.
There is also an IN operator that is similar to the in(VALUE-LIST) function that you can use with the search and tstats commands.
The following syntax is supported:
...| where in(field,"value1","value2", ...)
...| where field in("value1","value2", ...)
...| eval new_field=in(field,"value1","value2", ...)

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-26-2013 01:24 PM

You could use this subquery in the main search:

index=Cars [| gentimes start=-1 increment=1d | eval CAR_MAKE = "foo,bar,baz" | makemv CAR_MAKE delim="," | mvexpand CAR_MAKE | return 100 CAR_MAKE]

The subsearch yields this as a filter for the main search:

(CAR_MAKE="foo") OR (CAR_MAKE="bar") OR (CAR_MAKE="baz")

Just replace the fixed string with the appropriate $value$.

0 Karma
Reply
Solved! Jump to solution

marquiselee
Path Finder
‎02-26-2013 02:51 PM

This worked perfectly! Thank You Thank You

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎02-26-2013 12:49 PM

Map might work for you, but the more in the list, the longer it takes.

|eval cars=$car_make$|eval car=split(cars,",")|map [search index=Cars car=$car$]

You can also try using a lookup. In $APP_HOME/lookups make a "cars.csv".

cars.csv
car
Ford
Toyota
Honda

Then search

index=Cars | join car [|inputlookup cars.csv |stats count by car|fields - count]

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...