topic Re: How do you search a field with multiple values from an Input BOX? in Dashboards & Visualizations

How do you search a field with multiple values from an Input BOX?

Chandras11 — Mon, 12 Nov 2018 18:30:32 GMT

Hi,

I currently have a working report as:

`Master_Search`  |eval Upper_Element = upper(Element)| rex field=Upper_Element mode=sed "s/ //g"  | search(Upper_Element = "*K21A*" OR Upper_Element = "*DG23*" OR Upper_Element = "*FM23*"  OR Upper_Element = "*DP14*")|

Now, I want to convert it to a dashboard with a user input where I can fetch the search values in the Input box in the dashboard:

<row>
    <panel>
       <input type="multiselect" searchWhenChanged="true" token="Element_t">
        <label>Element in Upper case</label>
        <default>K21A DG23 FM23</default>
      </input>
    </panel>
  </row>

However, I am not certain how I can get the similar results as the above query. I tried the following approaches
1. I have tried to use the subquery

[search * | head 1 | eval Upper_Element="$Element_t$" | makemv delim=" " Upper_Element | fields Upper_Element]

Tried to use the delimiter in multi-select as

XdelimiterY " OR Upper_Element = " X/delimiterY //replace the X and Y with less than and greater than symbol
But, I am not getting the proper results. Could you please direct me to the correct path. I am really confused here.

Thanks a lot in advance for the help.

Br,
Chandra

Re: How do you search a field with multiple values from an Input BOX?

bkirk — Mon, 12 Nov 2018 21:00:40 GMT

Searching is generally case insensitive, so do you need to do all that changing to upper and creating a new field? I was able to do something like this below with the multiselect and just add it to my search with the Prefix/Suffix in the multiselect options. Also see the examples dashboard, they give a good example on how to use the multiselect.

    <input type="multiselect" searchWhenChanged="true" token="Element_t">
      <label>Element in Upper case</label>
      <choice value="K21A">K21A</choice>
      <choice value="DG23">DG23</choice>
      <choice value="FM23">FM23</choice>
      <default>K21A,DG23,FM23</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <initialValue>K21A,DG23,FM23</initialValue>
      <valuePrefix>Element="*</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>

.
.
.

  <row>
    <panel>
      <table>
        <search>
          <query>`Master_Search` $Element_t$ |</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

Re: How do you search a field with multiple values from an Input BOX?

Chandras11 — Tue, 13 Nov 2018 06:57:19 GMT

Thanks for the prefix and suffix information. In my index, there are more then 100000+ elements with 64 columns dependent on them. The user wants to give the element name as a single string with space in between. I need to first extract all Elements separately and then make a search with OR.

Re: How do you search a field with multiple values from an Input BOX?

bkirk — Tue, 13 Nov 2018 14:20:48 GMT

Ok how about this I used makeresults in a subsearch to build the search and added the format to add the OR's:

  <fieldset submitButton="true">
    <input type="multiselect" searchWhenChanged="true" token="Element_t">
      <label>Element in Upper case</label>
      <choice value="*K21A* *DG23* *FM23*">K21A DG23 FM23</choice>
      <default>K21A DG23 FM23</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <initialValue>*K21A* *DG23* *FM23*</initialValue>
      <valuePrefix></valuePrefix>
      <valueSuffix></valueSuffix>
      <delimiter> </delimiter>
    </input>

And this is the search:

      <table>
        <search>
          <query>`Master_Search` [|makeresults |eval Element=$Element_t$ |eval Element=split(Element," ")|table Element | format "(" "" "" "" "OR" ")"]</query>
        </search>
        <option name="drilldown">none</option>
      </table>

Keep in mind that the *'s are going to make the search slow but if these strings are in the middle of Element with no spaces before and after or special characters you will need them. I would leave the *'s out if you can. Also if these values need to be found in any part of the row not just in the Element you can change the Element to search:

      <table>
        <search>
          <query>`Master_Search` [|makeresults |eval search=$Element_t$ |eval search=split(search," ")|table search | format "(" "" "" "" "OR" ")"]</query>
        </search>
        <option name="drilldown">none</option>
      </table>

Hope this helps you.

Re: How do you search a field with multiple values from an Input BOX?

Chandras11 — Tue, 13 Nov 2018 14:31:08 GMT

Let me check it with my existing query. However, you already taught me a lot with these functionalities 🙂

Re: How do you search a field with multiple values from an Input BOX?

bkirk — Tue, 13 Nov 2018 14:48:33 GMT

I have remembered a lot of things that I forgot 🙂

Here is a good answer on the format function does a good job explaining it:
https://answers.splunk.com/answers/351834/how-can-i-use-a-search-results-table-to-power-anot.html