How to search on each entry in a text box input where entries are comma-delimited?

splunk_vb — Mon, 30 Jul 2018 15:59:43 GMT

I have users entering usernames separated by commas into a text box input. I want to run a search on this input that finds any events that have any of the usernames (this is for a base search). So if the user enters username1,username2,username3, I want the search

 | search user=username1 OR user=username2 OR user=username3

to run. I tried using a multivalue field:

<pre>| eval user2 = $text_box_input$
| makemv delim="," user2
| mvcombine user2 delim="OR user="
| nomv user2
| search user=user2
</pre>

But it wasn't working for me. Any help would be appreciated!

Re: How to search on each entry in a text box input where entries are comma-delimited?

niketn — Tue, 29 Sep 2020 20:40:59 GMT

@splunk_vb, if you are on Splunk 6.6 or later, this should be fairly easy with the IN operator for multiple value comparison. For previous versions of Splunk you may have to run an independent search to set multiple OR conditions similar to the one mentioned in your question. (PS: Search event handler <done> is used in version 6.5 or higher, which was <finalized> in version 6.4 or before.)

Please try the following run anywhere dashboard example based on Splunk's _internal index which has log_level values as INFO, WARN and ERROR for testing and showcasing both the scenarios:

Following is the Simple XML Code for screenshot attached:

<form>
  <label>Text Box Multiple Value Filter</label>
  <!-- Independent search to prepare filter data for Option 2-->
  <search>
    <query>| makeresults
| fields - _time
| eval filterData=$tokLogLevelOption2|s$
| eval filterData=replace(filterData,",","\" OR log_level=\"")</query>
    <done>
      <set token="tokLogLevelOption2Filter">$result.filterData$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Option 1: Splunk 6.6 or higher with IN clause</title>
      <input type="text" token="tokLogLevelOption1" searchWhenChanged="true">
        <label>Log Level Filters ( INFO, ERROR and WARN)</label>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ($tokLogLevelOption1$)
| stats count by log_level</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2: Splunk 6.5 or prior with OR clause</title>
      <input type="text" token="tokLogLevelOption2" searchWhenChanged="true">
        <label>Log Level Filters ( INFO, ERROR and WARN)</label>
        <prefix>log_level="</prefix>
        <suffix>"</suffix>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd $tokLogLevelOption2Filter$
| stats count by log_level</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

Re: How to search on each entry in a text box input where entries are comma-delimited?

splunk_vb — Tue, 31 Jul 2018 13:01:02 GMT

"IN" was exactly what I was looking for! Thank you!

topic How to search on each entry in a text box input where entries are comma-delimited? in Splunk Search

How to search on each entry in a text box input where entries are comma-delimited?

Re: How to search on each entry in a text box input where entries are comma-delimited?

Re: How to search on each entry in a text box input where entries are comma-delimited?