All Apps and Add-ons

Split text input for dashboard/form and search on multiple values?

dennywebb
Path Finder

The idea is that users want to be able to filter on IP/Subnet... but to select multiple options at a time. Seems to me the best way to allow this (well, a left/right box but i think that's reaching a bit for what Splunk will support) would be let them enter them 1 per line or comma separated in a text box, then split the values on Submit and search on each of them.

So I suppose my question is 2 fold...
1) Can this splitting of the entered data be done (Sideview?)
2) Is there a SQL like IN() construct for Splunk that will allow me to do the search easily or will I (presuming I can Split them) need to dynamically write a "src_ip=$val1$ OR src_ip=$val2$ OR..." string and stuff it into my search? I have seen the suggestions to use inputlookup however because the subnet matching requires "field=value" type of search parameters it seems like this wouldn't work.

Thanks!

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Assuming you have an input called $IPs$ containing values like "1.2.3.4,2.3.4.5,3.4.5.6" you can do something like this:

outer search goes here [stats count | eval src_ip = "$IPs$" | makemv src_ip delim="," | mvexpand src_ip | fields src_ip] | further processing

The subsearch will evaluate to an OR'd chain of src_ip="1.2.3.4" and so on, essentially an SQL IN. You can look at what a subsearch yielded through the search inspector as well, great for debugging.

View solution in original post

sideview
SplunkTrust
SplunkTrust

You can use Sideview modules to do this. Specifically TextField with a little help from ValueSetter and also from ArrayValueSetter. It's a little weird looking but it wont need a subsearch. Here I've done it as comma-separated input but you can specify newlines with "\n".

There is a whole docs page about ArrayValueSetter and how to use it. It basically takes array-valued $foo$ tokens and turns them into search expressions like (foo=17 OR foo=29 OR foo=952). However to read the full docs, download the latest Sideview Utils (2.4.10) from the sideview website at http://sideviewapps.com/apps/sideview-utils. Once the app is installed load it in the UI and go to "Module Documentation > The ValueSetter modules > The ArrayValueSetter module", and this example below is actually one of the official working examples there. Likewise there are docs pages dedicated to ValueSetter, TextField and of course the Search and HTML modules. (Make sure you're on the latest Sideview Utils though, because there was a whitespace behavior improvement that was only just fixed in ArrayValueSetter)

<module name="TextField">
  <param name="name">src_ip</param>
  <param name="label">enter multiple IP or CIDR expressions separated by commas</param>
  <param name="default">10.0.0.0/8,    192.168.0.1</param>

  <module name="Button">

    <module name="ValueSetter">
      <param name="name">src_ip_array</param>
      <param name="delim">,</param>
      <param name="value">$src_ip$</param>

      <module name="ArrayValueSetter">
        <param name="name">src_ip_search_expression</param>
        <param name="array">$src_ip_array$</param>
        <param name="template">src_ip="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            <pre>
DEBUGGING OUTPUT:<br>

src_ip (The TextField output) = <b>$src_ip$</b><br>
src_ip_array (The ValueSetter's output, which will actually be a JS array) = <b>$src_ip_array$</b><br>
src_ip_search_expression (The ArrayValueSetter's output) = <b>$src_ip_search_expression$</b><br>
<br>
(To plug this into a search,  all you have to do is use $$src_ip_search_expression$$ in a "Search" module.)
            </pre>

          ]]></param>
        </module>
      </module>
    </module>
  </module>
</module>
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming you have an input called $IPs$ containing values like "1.2.3.4,2.3.4.5,3.4.5.6" you can do something like this:

outer search goes here [stats count | eval src_ip = "$IPs$" | makemv src_ip delim="," | mvexpand src_ip | fields src_ip] | further processing

The subsearch will evaluate to an OR'd chain of src_ip="1.2.3.4" and so on, essentially an SQL IN. You can look at what a subsearch yielded through the search inspector as well, great for debugging.

jzapantis
Path Finder

Can you please provide more context? I am trying to implement your example and I am having a hard time due to errors.

Can src_ip be any name we want, or does it have to be the field name of the field we are trying to do a multiple search for?

Does anything need to happen or NOT need to happen before "outer search goes here"?

What does: "[stats count" do?

Thank you!

0 Karma

dennywebb
Path Finder

Martin, you're the man. Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...