Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Splunk have an equivalent to SQL's IN () construct?

andrewdotnich
Explorer
‎06-27-2011 05:22 PM

I have an analyst who wants to find logs where the value of a field is in a list of values. In SQL we can do this by saying:

SELECT * FROM table WHERE field IN (tuple, of, values);

Is there an easy, throw-away way to do this in Splunk?

EDIT: This list is too long to specify with a string of OR clauses; I'm looking for something a little neater than that…

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-27-2011 05:39 PM

1) You could create a lookup (think a big csv file) where each row is one of the values in your tuple.
The lookup would have to have two columns even though in such a simple case the second one feels redundant.

in this case lets say wegive it columns called 'value' and 'weirdness' as your columns. 

<your search> | lookup mylookupname fieldName | where weirdness=1

http://www.splunk.com/base/Documentation/4.2.2/User/Fieldlookupstutorial

http://www.splunk.com/base/Documentation/latest/SearchReference/Lookup

2) If the events that you're trying to match on are a tiny subset of the main events, there's another similar way that can be much more efficient. That is to use the inputlookup command within a subsearch. Essentially you're doing that gigantic OR search, butin an automated way

<your search> [ inputlookup mylookupname | fields myfieldname ]

http://www.splunk.com/base/Documentation/4.2.2/User/HowSubsearchesWork

View solution in original post

Reply
Solved! Jump to solution

MattZerfas
Communicator
‎09-05-2017 12:49 PM

In Splunk 6.6 there is a new feature now that you CAN use IN(). Below is a link to the doc on it.

IN() operator in search

Reply
Solved! Jump to solution

rstitt
Explorer
‎02-10-2017 09:10 PM

Another idea: Use regex

| regex field="^(a|b|c|d|e|f|g)$"

A bit clunky, but better than tons of ORs.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-27-2011 05:39 PM

1) You could create a lookup (think a big csv file) where each row is one of the values in your tuple.
The lookup would have to have two columns even though in such a simple case the second one feels redundant.

in this case lets say wegive it columns called 'value' and 'weirdness' as your columns. 

<your search> | lookup mylookupname fieldName | where weirdness=1

http://www.splunk.com/base/Documentation/4.2.2/User/Fieldlookupstutorial

http://www.splunk.com/base/Documentation/latest/SearchReference/Lookup

2) If the events that you're trying to match on are a tiny subset of the main events, there's another similar way that can be much more efficient. That is to use the inputlookup command within a subsearch. Essentially you're doing that gigantic OR search, butin an automated way

<your search> [ inputlookup mylookupname | fields myfieldname ]

http://www.splunk.com/base/Documentation/4.2.2/User/HowSubsearchesWork

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-27-2011 08:22 PM

And note that inputlookup is one way to populate the subsearch clause. You can use any valid Splunk search in the subsearch, just as you can use any SQL statement in a subselect.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-27-2011 08:21 PM

Edited some. A subsearch within the base search is exactly the equivalent of a subselect used in an IN clause in SQL.

Also, the size of the list (the IN clause, or the size of mylookupname file) can be 10,000 items in size, which is larger than the allowed size of an IN clause in many SQL databases.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...