The in operator in APL filters records based on whether a value matches any element in a specified set using case-sensitive comparison. Use this operator to check if a field value equals one of several values, which is more concise and efficient than chaining multiple equality checks with or. The in operator works with any scalar type, including strings, numbers, booleans, datetime values, and dynamic arrays.
Use the in operator when you need exact case-sensitive matching against multiple values, such as filtering logs by specific status codes, identifying requests from particular regions, or isolating traces from a subset of services.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the IN function within a search or where command to check if a field value matches any value in a list. APL's in operator works similarly but uses a different syntax with parentheses around the set of values. The APL in operator is case-sensitive by default.
['sample-http-logs']
| where method in ('GET', 'POST', 'PUT')In ANSI SQL, you use the IN operator within a WHERE clause to filter rows where a column value matches any value in a list. APL's in operator behaves the same way but is case-sensitive for string comparisons.
['sample-http-logs']
| where method in ('GET', 'POST', 'PUT')Usage
Syntax
Expression in (Value1, Value2, ...)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| Expression | scalar | Yes | The value to find in the given set. |
| Value | scalar or tabular | Yes | The values to compare against the expression. Specify individual scalar values, a dynamic array, or a subquery. When using a subquery with multiple columns, APL uses the first column. The operator supports up to 1,000,000 unique values in the set. |
Returns
Returns true if the expression value is found in the specified set. Returns false otherwise.
Use case examples
Filter HTTP logs to find requests with successful status codes.
Query
['sample-http-logs']
| where status in ('200', '201', '204')
| project _time, method, uri, statusOutput
| _time | method | uri | status |
|---|---|---|---|
| 2024-10-17 10:15:00 | GET | /api/users | 200 |
| 2024-10-17 10:16:30 | POST | /api/data | 201 |
| 2024-10-17 10:17:45 | DELETE | /api/item | 204 |
This query filters the HTTP logs to return only requests that resulted in successful status codes (200, 201, or 204), helping you focus on completed requests.
Identify traces from specific services in your microservices architecture.
Query
['otel-demo-traces']
| where ['service.name'] in ('frontend', 'checkout', 'cart')
| project _time, trace_id, ['service.name'], kind, durationOutput
| _time | trace_id | service.name | kind | duration |
|---|---|---|---|---|
| 2024-10-17 11:00:00 | abc123 | frontend | server | 45ms |
| 2024-10-17 11:00:05 | def456 | checkout | server | 120ms |
| 2024-10-17 11:00:10 | ghi789 | cart | client | 30ms |
This query filters traces to show only spans from the frontend, checkout, and cart services, helping you analyze traffic flow through critical user-facing services.
Use with dynamic arrays
When you pass a dynamic array with nested arrays, APL flattens them into a single list. For instance, x in (dynamic([1, [2, 3]])) is equivalent to x in (1, 2, 3).
let methods = dynamic(['GET', 'POST']);
['sample-http-logs']
| where method in (methods)List of related operators
- !in: Use for case-sensitive matching to exclude values. Returns
trueif the value is not in the set. - in~: Use for case-insensitive matching. Matches values regardless of case.
- !in~: Use for case-insensitive exclusion. Excludes values regardless of case.
- where: Use to filter rows based on conditions. The
inoperator is commonly used withinwhereclauses. - has_any: Use for term matching against multiple values. Unlike
inwhich checks for exact equality,has_anychecks if a string contains any of the specified terms.