Solved: Re: how to do "where field in" with splunk

hongduan · ‎04-25-2014

I need to do a query which looks like
field in [list of values]. The list could be another query's return values.

somesoni2 · ‎04-25-2014

Try something like this. Here you have pass list of names as comma separated values (which should be easier with form input as well.

index=yourindex [|stats count | eval name="Susan,David,Mike" | table name| eval name=split(name,",") | mvexpand name| format]

In dashboards, it could be like this

index=yourindex [|stats count | eval name="$nameValues$" | table name| eval name=split(name,",") | mvexpand name| format]

View solution in original post

mloven_splunk · ‎04-25-2014

because, the list could be a form
input field

So, this sounds like you want to match any value for 'name', right? Because a user could put 'Susan' or 'David', but could also put 'mloven'. So, again, my first answer would work in this scenario.

Maybe paste in some actual logs, and give an example of what you want the search to do. We can probably provide a more exact solution then.

somesoni2 · ‎04-25-2014

Try something like this. Here you have pass list of names as comma separated values (which should be easier with form input as well.

index=yourindex [|stats count | eval name="Susan,David,Mike" | table name| eval name=split(name,",") | mvexpand name| format]

In dashboards, it could be like this

index=yourindex [|stats count | eval name="$nameValues$" | table name| eval name=split(name,",") | mvexpand name| format]

rahulroy_splunk · ‎04-29-2014

You can upload your file (list of name) as lookup table file and then use it in the query. E.g. your lookup table, say names.csv, with header as name and one name per row. Add that a lookup table under appropriate app and set necessary sharing permission. Then the updated query could be like this

index=yourindex [|inputlookup names.csv ]

hongduan · ‎04-25-2014

awesome. That's exactly what I need. Is it possible I could upload a file with the possible values and do the search.
Something like: a file contains: "Susan,David,Mike". and in splunk query reference to the file.

mloven_splunk · ‎04-25-2014

So, you're looking for a set of results where a specific field (or list of fields) exist? So, let's say you have a field called 'myfield'. You want to show a list of results where myfield exists, right?

If your search has something like:

index=myindex myfield=*

Then only events with a field called myfield will return.

hongduan · ‎04-25-2014

And it's inconvenient for me to use OR, because, the list could be a form input field. If user enter some names in the form field, I want my query to take that as parameter. Also, the list is long, to use OR query will make the query even longer to read

hongduan · ‎04-25-2014

Here is what I want to do;

I have such logs:
name="Susan", date=20130101
name="David", date=20140101
name="Mike", date=20130102
name="SomeName", date=20140102
name="Test", date=20130101
.....more log records

I want to query looks like:
name in ("Susan", "Mike", ....)
The names in bracket is a long list.

somesoni2 · ‎04-25-2014

Can provide more information, possibly with some examples?

how to do "where field in" with splunk

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?