All Apps and Add-ons

SideView Utils ValueSetter Module Delim: Can you use newlines from a textfield value as the delimiter in a ValueSetter Module?

jpass
Contributor

I'd like to use the new line as a delimiter in a ValueSetter module. The end goal is users, who are afraid of normal syntax, could add search logic per line and I'd use the ValueSetter Module along with the ArrayValueSetter Module to turn the TextField value into a string separated by ORs. For example:

TextField Value:
("192.168.1.1" AND "ausername")
192.168.2.4
("blahblah" AND "foofoo")
"another key phrase"

Then I'd use ValueSetter / ArrayValueSetter to create the following string to be used in a search:

("192.168.1.1" AND "ausername") OR 192.168.2.4 OR ("*blahblah*" AND "*foofoo*") OR "another key phrase"

I know it seems silly to not just have users learn to use the search themselves. Id like to know how to do this. If it's not achievable without custombehavior, I would likely opt for telling users to just insert their own ORs but it would be nice as they could just paste a list of items which sometimes is needed.

1 Solution

sideview
SplunkTrust
SplunkTrust

Yep, you have to use "\n" as the delim.

Check out the following example. $src_ip_search_expression$ comes out as

( src_ip="10.0.0.0/8" OR src_ip="192.168.0.1" )


<module name="TextField"autoRun="True">
  <param name="name">src_ip</param>
  <param name="label">enter multiple IP or CIDR expressions separated by commas</param>
  <param name="rows">5</param>
  <param name="default">10.0.0.0/8
192.168.0.1</param>
  <module name="Button">

    <module name="ValueSetter">
      <param name="name">src_ip_array</param>
      <param name="delim">\n</param>
      <param name="value">$src_ip$</param>

      <module name="ArrayValueSetter">
        <param name="name">src_ip_search_expression</param>
        <param name="array">$src_ip_array$</param>
        <param name="template">src_ip="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

        <module name="HTML">
          <param name="html"><![CDATA[

src_ip (The TextField output) = <b>$src_ip$</b><br>
src_ip_array (The ValueSetter's output, which will actually be a JS array) = <b>$src_ip_array$</b><br>
src_ip_search_expression (The ArrayValueSetter's output) = <b>$src_ip_search_expression$</b>


          ]]></param>
        </module>
      </module>
    </module>
  </module>
</module>

The ValueSetter docs can tell you more about delim, and the ArrayValueSetter docs have an example much like this one but where comma is the delim.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Yep, you have to use "\n" as the delim.

Check out the following example. $src_ip_search_expression$ comes out as

( src_ip="10.0.0.0/8" OR src_ip="192.168.0.1" )


<module name="TextField"autoRun="True">
  <param name="name">src_ip</param>
  <param name="label">enter multiple IP or CIDR expressions separated by commas</param>
  <param name="rows">5</param>
  <param name="default">10.0.0.0/8
192.168.0.1</param>
  <module name="Button">

    <module name="ValueSetter">
      <param name="name">src_ip_array</param>
      <param name="delim">\n</param>
      <param name="value">$src_ip$</param>

      <module name="ArrayValueSetter">
        <param name="name">src_ip_search_expression</param>
        <param name="array">$src_ip_array$</param>
        <param name="template">src_ip="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

        <module name="HTML">
          <param name="html"><![CDATA[

src_ip (The TextField output) = <b>$src_ip$</b><br>
src_ip_array (The ValueSetter's output, which will actually be a JS array) = <b>$src_ip_array$</b><br>
src_ip_search_expression (The ArrayValueSetter's output) = <b>$src_ip_search_expression$</b>


          ]]></param>
        </module>
      </module>
    </module>
  </module>
</module>

The ValueSetter docs can tell you more about delim, and the ArrayValueSetter docs have an example much like this one but where comma is the delim.

Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...