topic Multiselect dropdown with wildcards in Splunk Search

Multiselect dropdown with wildcards

DATT — Wed, 26 Mar 2025 16:05:21 GMT

I have a field that I need to search on that is a long string of comma-separated values. It comes from our vulnerability scanner tool, Qualys, and looks something like this:

"OS: Windows 10 22H2, Port: 53, AV: Installed, SW: Maya, SVC: SiegeTower"

I have a multiselect dropdown on the dashboard with each unique tag that I want my users to be able to select any/all tags that matter to them. Application owners may only be concerned about viewing data related to their particular service on a particular operating system (user selects "OS: Windows 10 22H2" and "SVC: SiegeTower" for example).

The problem I'm running into is when users select multiple tags, the search looks like this:

<base search>
| search TAGS IN ("OS: Windows 10 22H2","SVC: SiegeTower")
| ...

which returns zero results. What I really need is:

<base search>
| search TAGS IN ("*OS: Windows 10 22H2*","*SVC: SiegeTower*")
| ...

Which has wildcard characters on each search selection and does return the correct results.

Is there any way to add wildcards to the multiselect dropdown selections to get the right results? The only other option I tried a combination of split and mvexpand on the TAGS field to perform the search but between thousands of endpoints and dozens of tags, I ran into memory issues that I won't be able to overcome any time soon.

Any help here is appreciated!

Re: Multiselect dropdown with wildcards

livehybrid — Wed, 26 Mar 2025 16:16:38 GMT

Hi @DATT

How about this?

<form version="1.1"> <label>ClassicTest</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="tags" searchWhenChanged="true"> <label>Tags</label> <choice value="OS: MacOS">OS: MacOS</choice> <choice value="OS: Windows 10">OS: Windows 10</choice> <choice value="OS: Windows 11">OS: Windows 11</choice> <prefix>tags = </prefix> <valuePrefix>"*</valuePrefix> <valueSuffix>*"</valueSuffix> <delimiter> OR tags=</delimiter> </input> </fieldset> <row> <panel> <title></title> <table> <title>Output</title> <search> <query>|makeresults | eval msg="Event 1", tags="Junk1,OS: Windows 11,something1" | append [|makeresults | eval msg="Event 2", tags="Junk2,OS: Windows 10,something2"] | append [|makeresults | eval msg="Event 3", tags="Junk3,OS: MacOS 15.4,something1"] | search $tags$</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>

This uses a selection of tags="*<something>*" OR .. instead of trying to use IN.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Multiselect dropdown with wildcards

DATT — Wed, 26 Mar 2025 16:46:27 GMT

This looks like a classic dashboard? I didn't think to mention we're using Dashboard Studio. Is prefix/suffix available in Dashboard Studio?

Re: Multiselect dropdown with wildcards

DATT — Wed, 26 Mar 2025 19:50:44 GMT

Turns out the solution was simpler than I thought.

The multiselect is populated from a query. Within that query I just created another field that took the tags and added wildcard characters to the front and back.

<base search>
| eval TAGS = split(TAGS, ",")
| mvexpand TAGS
| dedup TAGS
| table TAGS
| eval TAGS_WILDCARD = "*" + TAGS + "*"
| sort TAGS

With this, I mapped TAGS to the dynamic menu label field, and TAGS_WILDCARD to the dynamic menu value field. I was then able to use the token filter "|s" to wrap each value in quotes.

Ultimately, I ended up with this

<base search> 
| search TAGS IN ($includeTag|s$) AND TAGS NOT ($excludeTag|s$)

Re: Multiselect dropdown with wildcards

PickleRick — Wed, 26 Mar 2025 21:10:13 GMT

I'd go the other way around - either extract the values into separate fields or use tokenizer to split the field into multiple values. Searching for wildcards at the beginning of the search term is very ineffective.

Re: Multiselect dropdown with wildcards

livehybrid — Wed, 26 Mar 2025 22:19:06 GMT

Ah yes okay, that is Classic only, sorry I didnt realise you were wanting Dashboard Studio!