Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to check if a value exists in a list of values?

sdhiaeddine
Explorer
‎02-22-2023 08:06 AM

Hi,

I'm filtering a search to get a result for a specific values by checking it manually this way:

.... | stats sum(val) as vals by value | where value="v1" OR value="v2" OR value="v3"

I'm wondering if it is possible to do the same by checking if the value exists in a list coming from another index:
(something like this)

.... | append [search index=another_index
| stats values(remote_value) as values_list]
| stats sum(val) as vals by value | where (value in values_list)

Labels (3)
Tags (2)
0 Karma
Reply

DanielPriceUK
Path Finder
‎02-22-2023 08:56 AM

| search values IN("v1",V2",V3")

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Multiple_field-value_comp...

0 Karma
Reply

DanielPriceUK
Path Finder
‎02-22-2023 08:58 AM

use subsearches and the format command for the rest if you want to populate the comma seperated list with values from a search

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...