- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Error in multiselect - Could not create search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the code for multiselect which gets populated dynamically based on user selection. The Search query seems to be working fine outside using Search & Reporting app. But doesnt work when added as dynamic query to dashboard.
<input type="multiselect" token="tokenhost" searchWhenChanged="true">
<label>$hosttype$</label>
<search>
<query>index=app sourcetype=app_gc_log | eval host = case(host like "%" +substr(lower($hosttype$),1, 3)+ "%", host)| dedup host | table host</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<valuePrefix>host=</valuePrefix>
<delimiter> OR </delimiter>
</input>
<input type="time" token="field2" searchWhenChanged="true">
<label></label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$hosttype$ needs to get an initial value for the search to be built and run.
You can do that in another dynamic input or by giving it a static value in another input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$hosttype$ needs to get an initial value for the search to be built and run.
You can do that in another dynamic input or by giving it a static value in another input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "didn't work?" Do you get an error message?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you define the $hosttype$ token you are using there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is passed from another dashboard but I am pretty sure the value is getting passed to $hosttype$. I am able to see the value passed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you see the new $hosttype$ value in your label? Or is this one empty?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i see the value in label
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sangs8788, Can you try the following search, which converts both terms to be matched into lower case?
index=app sourcetype=app_gc_log
| eval host = case(match(lower(host),lower(substr("$hosttype$",1, 3))), host)
| dedup host
| table host
| sort host
If this does not work, can you run the same search for multiselect inside a table to see whether you are getting results?
<table>
<search>
<query>index=app sourcetype=app_gc_log | eval host = case(host like "%" +substr(lower($hosttype$),1, 3)+ "%", host)| dedup host | table host</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</table>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error displays right below the multiselect "could not create search"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
