Solved: Check multiple fields against multiselect value?

eroffol · ‎06-13-2017

Is it possible to check multiple fields against a multiselect value?

For example:
My multiselect input has 2 values selected, NORMAL and SEVERE

I want my search to look like:

...
| where field1 == "NORMAL" OR field2 == "NORMAL" OR field1 == "SEVERE" OR field2 == "SEVERE"

I know I can achieve this by having 2 separate multiselects (one for each field), but I was wondering if it is possible to just use 1.

somesoni2 · ‎06-13-2017

After having your multiselect returning values in format "Value1,Value2" (you would need to adjust prefix/separator and other things), you can run query like this

.... | where [|gentimes start=-1 | eval field1=split("$multiselectToken",",") | table field1 | mvexpand field1] OR [|gentimes start=-1 | eval field2=split("$multiselectToken",",") | table field2 | mvexpand field2]

View solution in original post

somesoni2 · ‎06-13-2017

After having your multiselect returning values in format "Value1,Value2" (you would need to adjust prefix/separator and other things), you can run query like this

.... | where [|gentimes start=-1 | eval field1=split("$multiselectToken",",") | table field1 | mvexpand field1] OR [|gentimes start=-1 | eval field2=split("$multiselectToken",",") | table field2 | mvexpand field2]

Check multiple fields against multiselect value?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability