Separate multiple search values with an OR clause with Splunk?

Question

I have a text box in a Splunk dashboard, and I'm trying to find out how I can separate values entered into the text box that are separated by commas with an OR clause.

For example:

values entered into text box: 102.99.99, 103.99.93, 203.23.21

index=abc sourcetype=abc src_ip="$ip$"

Any suggestions?

score 3 · Accepted Answer · answered Oct 25 '22 at 15:55

3

What about using the IN operator?

index=abc sourcetype=abc src_ip IN ($ip$)

answered Oct 25 '22 at 15:55

Mads Hansen

63,927
12
112
147

Thank you! This worked. I tried to make it more difficult than it had to be. – YouKnowWhyImHere Oct 25 '22 at 16:17

Separate multiple search values with an OR clause with Splunk?

1 Answers1