Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to pass values across to multivalue fields?

ssadh_splunk
Splunk Employee
Splunk Employee
‎04-09-2018 10:27 AM

Hi,

I am trying to build a dashboard with 4 MultiValue Input fields.

MV_field1 with Values MVF1_A, MVF1_B,..... MVF1_N (so on)
MV_field2 with Values MVF2_A,MVF2_B,......MVF2_N
MV_field3 with Values MVF3_A,MVF3_B,......MVF3_N
MV_field4 with Values MVF4_A,MVF4_B,......MVF4_N

MV_field2 values depend on MV_field1, MV_field3 depends on MV_field2 and so on..

The data is coming from a lookup and the field values are populating for MV_field1 based on this search

| inputlookup mylookup.csv
| fields "fieldA" 
| dedup fieldA

MV_field2 values are dynamically getting populated by using below search, based on the values I chose from first multivalue input list

| inputlookup mylookup.csv
| search "fieldA" IN ($fieldA$)
| dedup fieldB
| fields "fieldB"

However, when I select multiple values in MV_field2 along with MV_field1, my third MV_field3 list doest get populated. It gets stuck with message, "Could not create Search." and mouse over shows the message, "Search is waiting for input"

The search I am using to populate the third input is as below:

| inputlookup mylookup.csv
| search  ("fieldA" IN ($fieldA$)) AND (fieldB IN $fieldB$)
| fields fieldC
| dedup fieldC

Any pointers would be greatly appreciated.

0 Karma
Reply

niketn
Legend
‎04-15-2018 01:58 AM

@ssadh would it be possible for you to share the Simple XML code for multi-value fields?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

DalJeanis
Legend
‎04-14-2018 06:12 PM

If the syntax of your second search is working, then format the second half of your third search exactly the way that worked ... ("fieldB" IN ($fieldB$)) .

0 Karma
Reply

somesoni2
Revered Legend
‎04-09-2018 11:36 AM

Check if the field names and token names used in your MV_field3 multiselect input query are correct (they are case sensitive). The message suggests that one of the tokens in that query is not resolving to a valid value.

0 Karma
Reply

ssadh_splunk
Splunk Employee
Splunk Employee
‎04-09-2018 11:41 PM

Yes, all spellings are correct and case sensitivity is followed across the dashboard.

0 Karma
Reply

Sukisen1981
Champion
‎04-14-2018 12:20 PM

i think you have been editing the same dashboard and saving your dashboard as you build on the tokens, save refresh 2-3 times, log out and log back in...i know it sounds silly but it might just work

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...