Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I programatically generate list of "OR" terms in a search?

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 06:54 PM

I am trying to figure out some method of using something like a scripted lookup to programmatically generate a set of "OR" terms in a search. This would be roughly analogous to an SQL "IN" clause.

As a concrete example, I would like to be able to tie in data from one of our operations support systems. I can create a scripted input to return from there a set of hosts that match certain criteria (say, "is production and Debian"). I've been able to make this work using a pattern similar to:

blah blah blah | join host [ inputlookup production_and_debian ]

This works in some cases, but the problems with join (both from a result-size aspect and a performance aspect) make this difficult to apply in a general sense.

Ideally, I'd like to be able to do something like:

blah blah blah host IN ( [ inputlookup production_and_debian ] )

but I know that IN / NOT IN is not supported in the current search language.

I guess I could create a series of search macros that expand out to the form of

AND ( host="mike" OR host="jeff" OR host="bob")

but was hoping for something that could be done more dynamically and would have less maintenance effort.

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-28-2011 07:21 PM

I'm not sure I understand your question, but wouldn't the 'format' command provide a sufficient union of terms?

As for 'IN', I do something similar in my blog post on lookups here:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

To take your example:

... | append [inputlookup production_and_debian | eval is_deb_prod="true" ] | fillnull is_deb_prod value="false" | stats dc(is_deb_prod) as deb_prod_count by host | search deb_prod_count>1

If I am way off, I apologize in advance.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-28-2011 11:05 PM

That is a most excellent blog post. But, yeah, format does seem to bake things basically like I needed them. In fact, I think I may not have understood subsearches well enough to begin with, because a simple [inputlookup mylookup] seems to do well enough. Thanks!

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...