Smooth operator | Searching for multiple field values | Splunk (2024)

Table of Contents
Using IN with the search command Using IN with the eval and where commands Resources FAQs References

Searching for different values in the same field has been made easier. Thank you Splunk!

For example, suppose in the "error_code" field that you want to locate only the codes 400, 402, 404, and 406.

It is really tedious to have to type field-value pair after field-value pair just to search for a list of values in the same field. But that's exactly what you had to do before version 6.6.0. You had to specify each field-value pair as a separate OR condition.

 ...error_code=400 OR error_code=402 OR error_code=404 OR error_code=406...


Using IN with the search command

One of the best improvements made to the search command is the IN operator. With the IN operator, you can specify the field and a list of values. For example:

 ... error_code IN (400, 402, 404, 406) | ...


Because the search command is implied at the beginning of a search string, all you need to specify is the field name and a list of values. The syntax is simple:

 field IN (value1, value2, ...)

Note: The IN operator must be in uppercase.You can also use a wildcard in the value list to search for similar values. For example:

See Also
What are the differences between append, appendcols, and join search commands?Combining multiple data sources in SPLDifference Between Append and Extend in Python List Methods | Scaler TopicsWhat are the differences between append, appendpipe, and appendcols search commands?

 ... error_code IN (40*) | ...


This search looks at the error_code field in your events and returns any event with a code that begins with 40.

How cool is that !

With the search command this capability is referred to as the "IN operator". With the eval and where commands, it is implemented as the "IN function".

Using IN with the eval and where commands

To use IN with the eval and where commands, you must use IN as an eval function. The Splunk documentation calls it the "in function".

And the syntax and usage are slightly different than with the search command.

  • The IN function returns TRUE if one of the values in the list matches a value in the field you specify.
  • String values must be enclosed in quotation marks.
  • You cannot specify wildcard characters to search for similar values, such as HTTP error codes or CIDR IP address ranges.


Here are the supported syntax options:

 ...| eval new_field=if(IN(field,"value1","value2", ...), "value_if_true","value_if_false")
 ...| where field IN("value1","value2", ...)
 ...| where IN(field,"value1","value2", ...)


Note: The IN function, unlike the IN operator, can be specified in upper or lowercase. The IN function is shown in this blog in uppercase in the syntax and examples for clarity.

Let's start with the where command because it is fairly straight-forward.

The following example uses the where command to return IN=TRUE if one of the values in the status field matches one of the values in the list. The values in the status field are HTTP status codes. Because the codes are string values (not numeric values), you must enclose each value in quotation marks.

See Also
Add records to a table by using an append query

 ... | where status IN("400", "401", "403", "404", "406")


You could also specify this example as:

 ... | where IN(status,"400", "401", "403", "404", "406")


Using the IN function with the eval command is different than using IN with the where command. The eval command cannot accept Boolean values, you must use the IN function inside another function that can process the Boolean values returned by the IN function.

Let's go through an example where you can use the IN function as the first parameter for the IF function. We'll use the access.log file that is included with the Search Tutorial data.

In the following example, the IN function is used with the IF function to evaluate the action field. Then the stats command performs a calculation.

 sourcetype=access_combined_wcookie
 | eval activity=if(IN(action, "addtocart","purchase"),"Purchase Related","Other")
 | stats count by activity


Here is what this search is doing:

  • The eval command creates a new field called activity.
  • If the action field in an event contains the value addtocart or purchase, the value Purchase Related is placed in the activity field.
  • If the action field in an event contains any other value, the value Other is placed in the activity field.
  • The stats command counts the Purchase Related and Other values in the activity field.


The results appear on the Statistics tab and show the counts for how many events have Purchase Related activity and how many have Other types of activity.

Smooth operator | Searching for multiple field values | Splunk (1)This results table is great. You can also show the results in a chart. Switch to the Visualization tab and change the chart type to Pie Chart.

Smooth operator | Searching for multiple field values | Splunk (2)

You can save this search as a dashboard panel or a report.

Resources

See the following Splunk documentation for more information:

Smooth operator | Searching for multiple field values | Splunk (3)

Splunk

The world’s leading organizations trustSplunkto help keep their digital systems secure and reliable. Our software solutions and services help to prevent major issues, absorb shocks and accelerate transformation. Learnwhat Splunk doesandwhy customers choose Splunk.

Smooth operator | Searching for multiple field values | Splunk (2024)

FAQs

How to search for multiple values in the same field in Splunk? ›

The syntax is simple: field IN (value1, value2, ...) Note: The IN operator must be in uppercase. You can also use a wildcard in the value list to search for similar values.

See More
What is a multivalue field in Splunk? ›

multivalue field

A field that exists in the Splunk platform event data that contains more than one value. Fields usually have a single value, but for events such as email logs you can often find multivalue fields in the To: and Cc: information.

Get More Info
What is the SPL command in Splunk? ›

SPL is the abbreviation for the Splunk Search Processing Language. The Search Processing Language is a set of commands that you use to search your data. There are 2 versions of the Search Processing Language: SPL and SPL2. SPL encompasses all the search commands and their functions, arguments, and clauses.

Continue Reading
Is Splunk spl case sensitive? ›

By default, searches are case-insensitive. For example, if you search for Error , any case of that term is returned, such as Error , error , and ERROR . You can use the CASE directive to perform case-sensitive matches for terms and field values.

View Details
How to search for multiple values in Oracle? ›

In the search field, enter the list of alphanumeric item numbers that you want to retrieve in your search. Separate each item number with a comma. You can copy and paste a list of numbers into the search field. Click Search.

Know More
Where is the multivalue function used? ›

In Salesforce Data Pipelines, use multivalue functions with your multivalue data. For example, look for a specific value, count how many values there are, create a new multivalue by combining other text, convert a multivalue to a string, or split a string and return a multivalue.

Show Me More
What is an example of a multivalue multicolumn problem? ›

A: Multi value , multi column problem : This problem is happens when database table is used multiple columns to store values of an attribute. example: STUDENT(StudentNumber, StudentName, SiblingName1,SibilingName2,SibilingName3, Major) in a…

Discover More
How do you create a multivalued lookup field? ›

Create a multivalued field

Click in the Data Type column for that row, click the arrow and then, in the drop-down list, select Lookup Wizard. Note The Lookup Wizard creates three types of lists depending on the choices you make in the wizard: a lookup field, a values list field, and a multivalued field.

Learn More
What are the 3 modes in Splunk search? ›

search mode

A setting that optimizes your search performance by controlling the amount or type of data that the search returns. Search mode has three settings: Fast, Verbose, and Smart. Fast mode speeds up searches by limiting the types of data returned by the search.

Read On
What is the Rex command in Splunk? ›

The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names. When mode=sed , the given sed expression used to replace or substitute characters is applied to the value of the chosen field.

Read The Full Story

What is the use of fields command in Splunk? ›

The SPL2 fields command specifies which fields to keep or remove from the search results. By default, the internal fields _raw and _time are included in the output.

View More
What is the top command in Splunk SPL? ›

The top command in Splunk serves as a tool for identifying the most frequent or highest-ranking values within a dataset. By specifying fields and criteria, users can pinpoint the top values, facilitating trend analysis, anomaly detection, and performance monitoring.

Learn More
What is the difference between Splunk SQL and SPL? ›

SQL is designed to search column-consisting relational database tables. The SPL is designed to scan for events consisting of fields. You often see examples in SQL which use "mytable" and "mycolumn." You'll see examples in SPL which relate to "fields." In these examples, the field "source" is used as a "table" proxy.

Read On
How do I search Splunk without being case sensitive? ›

Click "Settings" > "Lookups" > "Lookup definitions" and find the look up you would like to modify. Check "advanced options" and either check or uncheck "Case sensitive match" depending on your preference.

Explore More
How do you search for multiple specific values in a field in your where clause? ›

Using an OR condition enables you to specify several alternative values to search for in a column. This option expands the scope of the search and can return more rows than searching for a single value. You can often use the IN operator instead to search for multiple values in the same data column.

Show Me More
How do I see concurrent searches in Splunk? ›

If your are using splunk 6.2, just look your Management Console: settings->Distributed Management Console. Note that only admins can access. Once you are there, take a look at the CONCURRENT SEARCHES. Click on the number of searches displayed, to get the snapshots of all the concurrent system searches.

Tell Me More
What is multisearch in Splunk? ›

Multisearch is a generating command that runs multiple streaming searches at the same time. It requires at least two searches and should only contain purely streaming operations such as eval , fields , or rex within each search.

Read On

References

Top Articles
Chocolate Coffee Truffles Recipe (Paleo, Vegan) - Bake It Paleo
The Recipe for Easy 3 Ingredient Sugar Free Peanut Butter Cookies
Zachary Zulock Linkedin
Terraria Artisan Loaf
Dr. Hannah Straight Website
Which Universal Life Option Has A Gradually
Demon Souls Moonshadestone
Greater Keene Men's Softball
Miller Motte College Student Portal
Start EN - Casimir Pulaski Foundation
North Station To Lowell Schedule
Minneapolis Rubratings
Creative Fall Bloxburg House Ideas For A Cozy Season
M&T Bank Atm Locations Near Me
Kimpton Hotels In Charleston Sc
Gulfport Senior Center Calendar
John Chiv Words Worth
Black Ballerina Michaela Mabinty DePrince morreu aos 29 anos
Long-awaited Ringu sequel Sadako doesn’t click with the 21st century
Gopher Hockey Forum
Rooms For Rent Portland Oregon Craigslist
Greene County sheriff sues state auditor for not releasing whistleblower complaints
Bank Of America.aomc
SEBO (UK) Ltd on LinkedIn: #sebouk #commercialcleaning #cleaning #floorcleaning #carpetcleaning
Henry Metzger Lpsg
The Secret Powers Of Doodling
Elm Nychhc Org
Gestalt psychology | Definition, Founder, Principles, & Examples
Bilt Rent Day Challenge June 2023 Answers
Lox Club Gift Code
三上悠亜 Thank You For Everything Mikami Yua Special Photo Book
Palm Coast Permits Online
Adriana Zambrano | Goosehead Insurance Agent in Metairie, Louisiana
Wyze Recover Deleted Events
Bj's Gas Price Victor Ny
Www.publicsurplus.com Motor Pool
Pho Outdoor Seating Near Me
Nina Volyanksa
Pathé Amsterdam Noord
C Spire Express Pay
Press-Citizen Obituaries
North Haven Power School
Left Periprosthetic Femur Fracture Icd 10
The Little Mermaid (2023) | Rotten Tomatoes
Jane Powell, Spirited Star of Movie Musicals ‘Royal Wedding,’ ‘Seven Brides,’ Dies at 92
Espn Masters Leaderboard
Was genau ist eine pillow princess?
Liberty 1098-T
Highplainsobserverperryton
Houses and Apartments For Rent in Maastricht
Dragon Ball Super Super Hero 123Movies
O2 Fitness West Ashley Photos
Latest Posts
29 Healthy And Easy Spiralizer Recipes (+Tips)
56 Unbelievably Delicious Weight Loss Dinner Recipes Under 500 Calories! – TrimmedandToned
Article information

Author: Mrs. Angelic Larkin

Last Updated:

Views: 6348

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.