Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

'where propertyname In (propertyvalue1, propertyvalue2, etc...)' int vs string values

gabenav11
Explorer
‎04-19-2019 09:22 AM

Hello, I am having difficulty using the 'where property in (x,y,z,...)' type search filter in Splunk. Specifically, when the property values are strings.

This works for me:

     index=indexName | where 'Error.Code' in (5224, 5198)

But this does not:

index=indexName | where 'Error.Type' in (ServConfigError,GetCompFail)

Any idea why that would be? I've tried a lot of combinations of quotes, single and double, around different things, and also trying this kind of construction:

index=indexName 'Error.Type' in (ServConfigError,GetCompFail)

and this

index=indexName | where in ('Error.Type', ServConfigError,GetCompFail)

and so on, and I can't get it to work

thanks for any help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-19-2019 01:48 PM

Have the string values in double quoutes. See supported format in the Splunk documentation here:

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/ConditionalFunctions#in.28FIELD.2...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-21-2019 08:01 AM

You need this:

 index=indexName | where 'Error.Type' IN ("ServConfigError", "GetCompFail")
 index=indexName | search 'Error.Type' IN (ServConfigError, GetCompFail)

The reason you are confused is because where assumes that the Right-Side-Value is a field name, unless this is unlikely or impossible, such as when the RHS is a digit (which is an "unlean" field name), when it will be treated as a string-literal, whereas search always expects a string-literal. In any case, it is a good best-practice to always enclosestring-literals inside double-quotes, especially those which are RSVs.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-19-2019 01:48 PM

Have the string values in double quoutes. See supported format in the Splunk documentation here:

https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/ConditionalFunctions#in.28FIELD.2...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...