Spread our blog

Usage Of IN Function With Where Command

This post shows how to use the function “in( )” with “where” command.
So, we normally do a field value search as shown below, say that we have a field IP_Address,

Screenshot (135)
Assume how it will look like if you want to search for many specific values for a single field, it can become highly inefficient.
So, here’s a better way to implement the same search filtering using the “where” command with it’s “in( )” function,
The “in( )” function has the below syntax –

| where in(<field_name>,<field_value1> ,<field_value2>,
<field_value3>....

The screenshot below shows the usage for a field “IP_Address”,

Screenshot (134)

The foremost thing about this function is it can make your searches shorter and efficient, it helps you get rid of the usage of “OR” operator again and again in your search query.

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
1
+1
+1
1
+1
+1

Spread our blog
You can also know about :  Interactive Field Extractor( IFX )in Splunk

LEAVE A REPLY

Please enter your comment!
Please enter your name here