How can I use TERM() phrases that comes from an D...

Mockjin · ‎03-28-2023

Hi *

i am trying to search via tstats and TERM() statements. How can i use TERM() phrases that comes from an Dashboard input field?

for example

Input field= test1,test2

Output search=

| tstats
values(PREFIX(test_content=)) as test_content
where
index=testindex AND (TERM(host=test1) OR TERM(host=test2)
by _time PREFIX(host=)

Gr0und_Z3r0 · ‎03-28-2023

hi @Mockjin
assuming your field & value is like this inputfield= "test1,test2" you can do something like this

| tstats values(PREFIX(test_content=)) as test_content
where index=testindex AND (TERM(host=mvindex(split(inputfield,","),0)) OR TERM(host=mvindex(split(inputfield,","),1))
by _time PREFIX(host=)

Mockjin · ‎03-28-2023

Hi @Gr0und_Z3r0 , thank you for your quick answer. When i try your idea i get the error message "unbalanced parantheses". I changed the Example Search for understanding.

Direct search without inputfield in test_dashboard:

|tstats count where index=_internal AND (TERM(name=dump) OR TERM(name=exec)) by PREFIX(name=)

Example search with _internal index and text field named inputfield in test_dashboard:

inputfield="dump,exec"

|tstats count where index=_internal AND (TERM(name=mvindex(split($inputfield$,","),0)) OR TERM(name=mvindex(split($inputfield$,","),1))) by PREFIX(name=)

Any idea why?

Gr0und_Z3r0 · ‎03-29-2023

try this way....

| tstats count where index=_internal by PREFIX(group=) 
| rename group= as group 
| eval inputfield="thruput,queue" 
| where group=mvindex(split(inputfield,","),0) OR group=mvindex(split(inputfield,","),1) 
| table group count

How can I use TERM() phrases that comes from an Dashboard input field?

dashboard

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas