Splunk Search

'where propertyname In (propertyvalue1, propertyvalue2, etc...)' int vs string values

gabenav11
Explorer

Hello, I am having difficulty using the 'where property in (x,y,z,...)' type search filter in Splunk. Specifically, when the property values are strings.

This works for me:

     index=indexName | where 'Error.Code' in (5224, 5198)

But this does not:

index=indexName | where 'Error.Type' in (ServConfigError,GetCompFail)

Any idea why that would be? I've tried a lot of combinations of quotes, single and double, around different things, and also trying this kind of construction:

index=indexName 'Error.Type' in (ServConfigError,GetCompFail)

and this

index=indexName | where in ('Error.Type', ServConfigError,GetCompFail)

and so on, and I can't get it to work

thanks for any help

0 Karma
1 Solution

somesoni2
Revered Legend

Have the string values in double quoutes. See supported format in the Splunk documentation here:

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/ConditionalFunctions#in.28FIELD.2...

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need this:

 index=indexName | where 'Error.Type' IN ("ServConfigError", "GetCompFail")
 index=indexName | search 'Error.Type' IN (ServConfigError, GetCompFail)

The reason you are confused is because where assumes that the Right-Side-Value is a field name, unless this is unlikely or impossible, such as when the RHS is a digit (which is an "unlean" field name), when it will be treated as a string-literal, whereas search always expects a string-literal. In any case, it is a good best-practice to always enclosestring-literals inside double-quotes, especially those which are RSVs.

0 Karma

somesoni2
Revered Legend

Have the string values in double quoutes. See supported format in the Splunk documentation here:

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/ConditionalFunctions#in.28FIELD.2...

0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...