Usage Of IN Function With Where Command

Usage Of IN Function With Where Command

This post shows how to use the function “in( )” with “where” command.
So, we normally do a field value search as shown below, say that we have a field IP_Address,

Screenshot (135)
Assume how it will look like if you want to search for many specific values for a single field, it can become highly inefficient.
So, here’s a better way to implement the same search filtering using the “where” command with it’s “in( )” function,
The “in( )” function has the below syntax –

| where in(<field_name>,<field_value1> ,<field_value2>,
<field_value3>....

The screenshot below shows the usage for a field “IP_Address”,

Screenshot (134)

The foremost thing about this function is it can make your searches shorter and efficient, it helps you get rid of the usage of “OR” operator again and again in your search query.

Happy Splunking!!

You can also know about :  Usage of Splunk commands  : IPLOCATION

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.