Solved: Re: How can I include a trailing whitespace in a m...

nick405060 · ‎06-05-2019

Hey guys

I'd like to have a multiselect populate a raw string search but some of the values end in whitespace.

<choice value="some raw string that option1 represents ending in a space ">option1</choice>
<choice value="some raw string that option2 represents not ending in a space">option2</choice>
<choice value="some raw string that option3 represents ending in a space ">option3</choice>
<delimiter> OR </delimiter>
<valuePrefix>'</valuePrefix>
<valueSuffix>'</valueSuffix>

And then index=myindex $multiselect$

However this does not work since the trailing space at the end of the choice value is cut off. Escaping with nbsp throws an error, and a few other whitespace escapes that I tried do not work either. https://stackoverflow.com/questions/514635/represent-space-and-tab-in-xml-tag does not work for SimpleXML.

Any ideas??

niketn · ‎06-10-2019

@nick405060 can you try the following run anywhere example based on sample code provided in the question?
Instead of Space in the Value of Multiselect I have used ### which I have later replaced with a space using independent search to process the token value returned from the multiselect.

<form>
  <label>multiselect with trailing spaces</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokMultiSelectInput" searchWhenChanged="true">
      <label>Multiselect</label>
      <choice value="some raw string that option1 represents ending in a space###">Option 1</choice>
      <choice value="some raw string that option2 represents not ending in a space">Option 2</choice>
      <choice value="some raw string that option3 represents ending in a space###">Option 3</choice>
      <delimiter> OR </delimiter>
      <valuePrefix>'</valuePrefix>
       <valueSuffix>'</valueSuffix>
    </input>
  </fieldset>
  <!-- Independent Search to Format results from Multiselect Input to be used in Search -->
  <search>
    <query>| makeresults
      | fields - _time
      | eval tokMulti=replace("$tokMultiSelectInput$","###"," ")
    </query>
    <done>
      <set token="tokMulti">$result.tokMulti$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        <div>tokMulti: $tokMulti$</div>
      </html>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-10-2019

@nick405060 can you try the following run anywhere example based on sample code provided in the question?
Instead of Space in the Value of Multiselect I have used ### which I have later replaced with a space using independent search to process the token value returned from the multiselect.

<form>
  <label>multiselect with trailing spaces</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokMultiSelectInput" searchWhenChanged="true">
      <label>Multiselect</label>
      <choice value="some raw string that option1 represents ending in a space###">Option 1</choice>
      <choice value="some raw string that option2 represents not ending in a space">Option 2</choice>
      <choice value="some raw string that option3 represents ending in a space###">Option 3</choice>
      <delimiter> OR </delimiter>
      <valuePrefix>'</valuePrefix>
       <valueSuffix>'</valueSuffix>
    </input>
  </fieldset>
  <!-- Independent Search to Format results from Multiselect Input to be used in Search -->
  <search>
    <query>| makeresults
      | fields - _time
      | eval tokMulti=replace("$tokMultiSelectInput$","###"," ")
    </query>
    <done>
      <set token="tokMulti">$result.tokMulti$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        <div>tokMulti: $tokMulti$</div>
      </html>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nick405060 · ‎06-10-2019

Ah. That would do it. Figured I'd see a @niketnilay response on this one! Thanks a bunch

nick405060 · ‎06-10-2019

I had some major problems properly escaping quotes with this method. If it wasn't for the trailing space regular valuePrefixes/Suffixes would have done the trick. If it helps anyone else, I did get this method working though: (I took the removed items mentioned from the final query, so this is not copy and pasteable. But it is besides that query.)

<form>
  <label>VPN Activity</label>
  <description></description>

  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="TIMERANGE" searchWhenChanged="false">
      <label>Time range:</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliest_epoch_onChange">case(isnum($earliest$), $earliest$, $earliest$=="now", time(), $earliest$="", 0, true(), relative_time(time(), $earliest$))</eval>
        <eval token="latest_epoch_onChange">case(isnum($latest$), $latest$, $latest$=="now", time(), true(), relative_time(time(), $latest$))</eval>
      </change>
    </input>
    <input type="text" token="earliest_epoch" depends="$justHideMe$">
      <default>$earliest_epoch_onChange$</default>
    </input>
    <input type="text" token="latest_epoch" depends="$justHideMe$">
      <default>$latest_epoch_onChange$</default>
    </input>
    <input type="text" token="networkIdOnChange" searchWhenChanged="false">
      <label>NetworkID:</label>
      <default>Enter ID</default>
    </input>
    <input type="text" token="networkId" depends="$justHideMe$">
      <default>$networkIdOnChange$</default>
    </input>
    <input type="text" token="ipOnChange" searchWhenChanged="false">
      <label>IP:</label>
      <default>*</default>
    </input>
    <input type="text" token="ip" depends="$justHideMe$">
      <default>$ipOnChange$</default>
    </input>
    <!-- Full token is modded later so that trailing whitespaces and two "Group" formats can be included -->
    <input type="multiselect" token="typesOnChange" searchWhenChanged="false" id="types_multiselect">
      <label>Type</label>
      <choice value="Group_">Group</choice>
      <choice value="TunnelGroup">TunnelGroup</choice>
      <choice value="Teardown">Teardown</choice>
      <choice value="Built">Build</choice>
      <choice value="Deny">Deny</choice>
      <choice value="Disconnected">Disconnected</choice>
      <choice value="Access-list">Access-List</choice>
      <choice value="AAA">AAA User Auth</choice>
      <choice value="User_">Admin User</choice>
      <default>Admin User</default>
      <delimiter> OR </delimiter>
    </input>
    <input type="text" token="types_unformatted" depends="$justHideMe$">
      <default>$typesOnChange$</default>
    </input>
    <input type="dropdown" token="advancedOnChange" searchWhenChanged="false">
      <label>Use advanced field extractions?</label>
      <choice value="yes">Yes</choice>
      <choice value="no">No</choice>
      <default>No</default>
    </input>
    <input type="text" token="advanced" depends="$justHideMe$">
      <default>$advancedOnChange$</default>
    </input>
  </fieldset>
  <!-- Multiselect mod-->
  <search>
    <query>
| makeresults | eval orig="$types_unformatted$" | eval temp=orig
| eval temp=replace(temp,"Group_","\"Group = \" OR \"Group &lt;\"")
| eval temp=replace(temp,"TunnelGroup","\"TunnelGroup \"")
| eval temp=replace(temp,"Teardown","\"Teardown \"")
| eval temp=replace(temp,"Built","\"Built \"")
| eval temp=replace(temp,"Deny","\"Deny \"")
| eval temp=replace(temp,"Disconnected","\"Disconnected\"")
| eval temp=replace(temp,"Access-list","\"access-list\"")
| eval temp=replace(temp,"AAA","\"AAA user authentication Rejected\"")
| eval temp=replace(temp,"User_","(\"User \'\" NOT \"access-list\")")
  </query>
    <done>
      <set token="types">$result.temp$</set>
      <set token="types_string">$result.orig$</set>
    </done>
  </search>

  <row>
    <panel depends="$alwaysHideCSS$">
      <html>
        <style>
          #types_multiselect div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
            width: 275px !important;
          }
          #types_multiselect div[data-view="splunkjs/mvc/multidropdownview"]{
            width: 275px !important;
            margin-right: auto !important;
          }
          .fieldset .input{
            width:auto !important;
          }  
        </style>
      </html>
    </panel>
  </row>

  <row>
    <panel>
      <title></title>
      <table>
        <search>
          <query>
index=asa $networkId$ $types$ $ip$ |
-- many regexes that use "$types_string$" go here -- |
table goodfields * | fields - badfields | eventstats count as _count
          </query>
          <earliest>$earliest_epoch$</earliest>
          <latest>$latest_epoch$</latest>
          <preview>
            <set token="vpn_count">$result._count$</set>
          </preview>
        </search>
      </table>
    </panel>
  </row>

</form>

kmorris_splunk · ‎06-05-2019

Can you use the Token Value Suffix and append an *. This would allow for when there is or isn't a whitespace at the end.

nick405060 · ‎06-10-2019

It still trims the whitespace

maciep · ‎06-05-2019

assuming this is the same as your other question?

nick405060 · ‎06-05-2019

it is not. the workaround for this that I thought of is the other question, although that workaround also is not working https://answers.splunk.com/answers/750198/is-it-possible-to-use-match-in-an-initial-search-e.html

How can I include a trailing whitespace in a multiselect choice value?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...