All Apps and Add-ons

SideView Utils ValueSetter Module Delim: Can you use newlines from a textfield value as the delimiter in a ValueSetter Module?

jpass
Contributor

I'd like to use the new line as a delimiter in a ValueSetter module. The end goal is users, who are afraid of normal syntax, could add search logic per line and I'd use the ValueSetter Module along with the ArrayValueSetter Module to turn the TextField value into a string separated by ORs. For example:

TextField Value:
("192.168.1.1" AND "ausername")
192.168.2.4
("blahblah" AND "foofoo")
"another key phrase"

Then I'd use ValueSetter / ArrayValueSetter to create the following string to be used in a search:

("192.168.1.1" AND "ausername") OR 192.168.2.4 OR ("*blahblah*" AND "*foofoo*") OR "another key phrase"

I know it seems silly to not just have users learn to use the search themselves. Id like to know how to do this. If it's not achievable without custombehavior, I would likely opt for telling users to just insert their own ORs but it would be nice as they could just paste a list of items which sometimes is needed.

1 Solution

sideview
SplunkTrust
SplunkTrust

Yep, you have to use "\n" as the delim.

Check out the following example. $src_ip_search_expression$ comes out as

( src_ip="10.0.0.0/8" OR src_ip="192.168.0.1" )


<module name="TextField"autoRun="True">
  <param name="name">src_ip</param>
  <param name="label">enter multiple IP or CIDR expressions separated by commas</param>
  <param name="rows">5</param>
  <param name="default">10.0.0.0/8
192.168.0.1</param>
  <module name="Button">

    <module name="ValueSetter">
      <param name="name">src_ip_array</param>
      <param name="delim">\n</param>
      <param name="value">$src_ip$</param>

      <module name="ArrayValueSetter">
        <param name="name">src_ip_search_expression</param>
        <param name="array">$src_ip_array$</param>
        <param name="template">src_ip="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

        <module name="HTML">
          <param name="html"><![CDATA[

src_ip (The TextField output) = <b>$src_ip$</b><br>
src_ip_array (The ValueSetter's output, which will actually be a JS array) = <b>$src_ip_array$</b><br>
src_ip_search_expression (The ArrayValueSetter's output) = <b>$src_ip_search_expression$</b>


          ]]></param>
        </module>
      </module>
    </module>
  </module>
</module>

The ValueSetter docs can tell you more about delim, and the ArrayValueSetter docs have an example much like this one but where comma is the delim.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Yep, you have to use "\n" as the delim.

Check out the following example. $src_ip_search_expression$ comes out as

( src_ip="10.0.0.0/8" OR src_ip="192.168.0.1" )


<module name="TextField"autoRun="True">
  <param name="name">src_ip</param>
  <param name="label">enter multiple IP or CIDR expressions separated by commas</param>
  <param name="rows">5</param>
  <param name="default">10.0.0.0/8
192.168.0.1</param>
  <module name="Button">

    <module name="ValueSetter">
      <param name="name">src_ip_array</param>
      <param name="delim">\n</param>
      <param name="value">$src_ip$</param>

      <module name="ArrayValueSetter">
        <param name="name">src_ip_search_expression</param>
        <param name="array">$src_ip_array$</param>
        <param name="template">src_ip="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

        <module name="HTML">
          <param name="html"><![CDATA[

src_ip (The TextField output) = <b>$src_ip$</b><br>
src_ip_array (The ValueSetter's output, which will actually be a JS array) = <b>$src_ip_array$</b><br>
src_ip_search_expression (The ArrayValueSetter's output) = <b>$src_ip_search_expression$</b>


          ]]></param>
        </module>
      </module>
    </module>
  </module>
</module>

The ValueSetter docs can tell you more about delim, and the ArrayValueSetter docs have an example much like this one but where comma is the delim.

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...