I've been looking through the search documentation to see if Splunk has an operator similar to the SQL 'in' operator. I'm not seeing anything so my hunch is it does not exist, but I thought I would just ask. I know I can just add on a bunch of 'or' clauses but an 'in' operator would just be a bit more concise. Any thoughts?
The feature was introduced in Splunk 6.6 (see Release Notes) in May 2017.
Feature: New SQL-like IN SPL operator
New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual.
Oh ... wait. I spoke too soon. It looks like it has to be this way.
... AND NOT field IN (val1, val2, val3)
as opposed to
... AND field NOT IN (val1, val2, val3)
SQL "in" example -
select a from A where b in (select b from B)
can be done thru subsearches -
sourcetype=a [sourcetype=B | fields b] | fields a
a good discussion on the same topic -
1) You could create a lookup (think a big csv file) where each row is one of the values in your tuple.
The lookup would have to have two columns even though in such a simple case the second one feels redundant.
in this case lets say wegive it columns called 'value' and 'weirdness' as your columns.
<your search> | lookup mylookupname fieldName | where weirdness=1
2) If the events that you're trying to match on are a tiny subset of the main events, there's another similar way that can be much more efficient. That is to use the inputlookup command within a subsearch. Essentially you're doing that gigantic OR search, butin an automated way
<your search> [ inputlookup mylookupname | fields myfieldname ]