Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I programatically generate list of "OR" terms in a search?

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 06:54 PM

I am trying to figure out some method of using something like a scripted lookup to programmatically generate a set of "OR" terms in a search. This would be roughly analogous to an SQL "IN" clause.

As a concrete example, I would like to be able to tie in data from one of our operations support systems. I can create a scripted input to return from there a set of hosts that match certain criteria (say, "is production and Debian"). I've been able to make this work using a pattern similar to:

blah blah blah | join host [ inputlookup production_and_debian ]

This works in some cases, but the problems with join (both from a result-size aspect and a performance aspect) make this difficult to apply in a general sense.

Ideally, I'd like to be able to do something like:

blah blah blah host IN ( [ inputlookup production_and_debian ] )

but I know that IN / NOT IN is not supported in the current search language.

I guess I could create a series of search macros that expand out to the form of

AND ( host="mike" OR host="jeff" OR host="bob")

but was hoping for something that could be done more dynamically and would have less maintenance effort.

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 11:05 PM

That is a most excellent blog post. But, yeah, format does seem to bake things basically like I needed them. In fact, I think I may not have understood subsearches well enough to begin with, because a simple [inputlookup mylookup] seems to do well enough. Thanks!

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...