Solved: Check multiple fields against multiselect value?

eroffol · ‎06-13-2017

Is it possible to check multiple fields against a multiselect value?

For example:
My multiselect input has 2 values selected, NORMAL and SEVERE

I want my search to look like:

...
| where field1 == "NORMAL" OR field2 == "NORMAL" OR field1 == "SEVERE" OR field2 == "SEVERE"

I know I can achieve this by having 2 separate multiselects (one for each field), but I was wondering if it is possible to just use 1.

somesoni2 · ‎06-13-2017

After having your multiselect returning values in format "Value1,Value2" (you would need to adjust prefix/separator and other things), you can run query like this

.... | where [|gentimes start=-1 | eval field1=split("$multiselectToken",",") | table field1 | mvexpand field1] OR [|gentimes start=-1 | eval field2=split("$multiselectToken",",") | table field2 | mvexpand field2]

View solution in original post

somesoni2 · ‎06-13-2017

After having your multiselect returning values in format "Value1,Value2" (you would need to adjust prefix/separator and other things), you can run query like this

.... | where [|gentimes start=-1 | eval field1=split("$multiselectToken",",") | table field1 | mvexpand field1] OR [|gentimes start=-1 | eval field2=split("$multiselectToken",",") | table field2 | mvexpand field2]

Check multiple fields against multiselect value?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation