Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to search in field?

karina25
Engager
‎06-23-2022 01:13 AM

Hello All,

I have a problem with my search.

The following search works:

 

index=test_index sourcetype=test_sourcetype 
| search Modulename IN ("Test_One","Test_Two")

 

 However, this search does not work:

 

index=test_index sourcetype=test_sourcetype 
| eval helper_modulename = replace("Test_One&form.Modulename=Test_Two", "&form.Modulename=", "\",\"")
| eval helper_modulename = "\"" . helper_modulename . "\""
| search Modulename IN (helper_modulename)

 

The result of helper_modulename is the same string I use in the search that works:

karina25_0-1655971882417.png

Can anyone tell me what I am doing wrong and what needs to be adapted to make it work? 🙂

Thank you all in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2022 06:58 AM

The IN operator expects a list of one or more literals.  It can't handle a field containing a list of literals.  Try using a subsearch to specify the IN values.

index=test_index sourcetype=test_sourcetype
| search Modulename IN ( 
    [| makeresults 
    | eval helper_modulename = replace("Test_One&form.Modulename=Test_Two", "&form.Modulename=", "\",\"") 
    | eval helper_modulename = "\"" . helper_modulename . "\"" 
    | return $helper_modulename])

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

karina25
Engager
‎07-04-2022 01:27 AM

Thank you so much! This works 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-26-2022 06:58 AM

The IN operator expects a list of one or more literals.  It can't handle a field containing a list of literals.  Try using a subsearch to specify the IN values.

index=test_index sourcetype=test_sourcetype
| search Modulename IN ( 
    [| makeresults 
    | eval helper_modulename = replace("Test_One&form.Modulename=Test_Two", "&form.Modulename=", "\",\"") 
    | eval helper_modulename = "\"" . helper_modulename . "\"" 
    | return $helper_modulename])

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...