- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Error in multiselect - Could not create search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the code for multiselect which gets populated dynamically based on user selection. The Search query seems to be working fine outside using Search & Reporting app. But doesnt work when added as dynamic query to dashboard.
<input type="multiselect" token="tokenhost" searchWhenChanged="true">
<label>$hosttype$</label>
<search>
<query>index=app sourcetype=app_gc_log | eval host = case(host like "%" +substr(lower($hosttype$),1, 3)+ "%", host)| dedup host | table host</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<valuePrefix>host=</valuePrefix>
<delimiter> OR </delimiter>
</input>
<input type="time" token="field2" searchWhenChanged="true">
<label></label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$hosttype$ needs to get an initial value for the search to be built and run.
You can do that in another dynamic input or by giving it a static value in another input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$hosttype$ needs to get an initial value for the search to be built and run.
You can do that in another dynamic input or by giving it a static value in another input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "didn't work?" Do you get an error message?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you define the $hosttype$ token you are using there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is passed from another dashboard but I am pretty sure the value is getting passed to $hosttype$. I am able to see the value passed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you see the new $hosttype$ value in your label? Or is this one empty?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i see the value in label
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sangs8788, Can you try the following search, which converts both terms to be matched into lower case?
index=app sourcetype=app_gc_log
| eval host = case(match(lower(host),lower(substr("$hosttype$",1, 3))), host)
| dedup host
| table host
| sort host
If this does not work, can you run the same search for multiselect inside a table to see whether you are getting results?
<table>
<search>
<query>index=app sourcetype=app_gc_log | eval host = case(host like "%" +substr(lower($hosttype$),1, 3)+ "%", host)| dedup host | table host</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</table>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error displays right below the multiselect "could not create search"
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
