Solved: How do I read comma separated inputs from a single...

Kwip · ‎12-02-2018

Hi Team,

I am creating a form where a user can input a set of values separated by commas. Below are the details and example.

I need to generate a table with a set of jobs along with some other information.

The job name will have a unique ID. Those IDs will be provided as a comma separated input by the user.

Job_Name=aaa.bbb.ccc.xxxxx(UniqueID).dddddd.ccccc

So, the user input needs to be applied in the Job_Name field in a OR condition. Like below,

Say example user imput is 12345, 09876, 67543

I need to generate a search like index=something sourecetype=something Job_Name=aaa.bbb.ccc.12345.dddddd.ccccc OR aaa.bbb.ccc.09876.dddddd.ccccc OR aaa.bbb.ccc.67543.dddddd.ccccc.

Please help me out on this.

kamlesh_vaghela · ‎12-03-2018

@Kwip

Can you please try this?

<form>
   <label>Job Search</label>
   <fieldset submitButton="false">
     <input type="text" token="input_jobs">
       <label>IDs (comma-separated)</label>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query> index=something sourecetype=something  [| makeresults | eval input="$input_jobs$" | eval Job_Name=split(input,",") | mvexpand Job_Name |eval Job_Name="aaa.bbb.ccc.".Job_Name.".dddddd.ccccc" | table Job_Name  ]   </query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">none</option>
         <option name="refresh.display">progressbar</option>
       </table>
     </panel>
   </row>
 </form>

Thanks

View solution in original post

kamlesh_vaghela · ‎12-03-2018

@Kwip

Can you please try this?

<form>
   <label>Job Search</label>
   <fieldset submitButton="false">
     <input type="text" token="input_jobs">
       <label>IDs (comma-separated)</label>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search>
           <query> index=something sourecetype=something  [| makeresults | eval input="$input_jobs$" | eval Job_Name=split(input,",") | mvexpand Job_Name |eval Job_Name="aaa.bbb.ccc.".Job_Name.".dddddd.ccccc" | table Job_Name  ]   </query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
         </search>
         <option name="count">10</option>
         <option name="drilldown">none</option>
         <option name="refresh.display">progressbar</option>
       </table>
     </panel>
   </row>
 </form>

Thanks

Kwip · ‎12-03-2018

Awesomw @kamlesh_vaghela. This is what I am looking for.

kamlesh_vaghela · ‎12-03-2018

Glad to help you. 🙂
Happy Splunking

whrg · ‎12-02-2018

I think it might be easier in your case to use a subsearch instead of OR conditions.

My idea was to extract the UniqueID from the events in the base search. (You could also use a field extraction instead of the rex command.) The subsearch will then match the UniqueIDs against the user input. Have a look at this dashboard:

<form>
  <label>Job Search</label>
  <fieldset submitButton="false">
    <input type="text" token="input_jobs">
      <label>IDs (comma-separated)</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=3 | streamstats count
| eval Job_Name=case(count==1,"aaa.bbb.ccc.12345.dddddd.ccccc",count==2,"aaa.bbb.ccc.09876.dddddd.ccccc",count==3,"aaa.bbb.ccc.67543.dddddd.ccccc")
| rex field=Job_Name "aaa\.bbb\.ccc.(?<UniqueID>[\d]+)"
| search [| makeresults count=1
   | eval input="$input_jobs$"
   | eval input=replace(input," ","")
   | eval UniqueID=split(input,",")
   | mvexpand UniqueID | table UniqueID]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

(You will need to replace the first two lines of the search query with something like: index=something sourcetype=something...)

When my user input is "11111,67543,22222" then it will show the "aaa.bbb.ccc.12345.dddddd.ccccc" event.

Kwip · ‎12-03-2018

Thank you for the immediate response @whrg. This query limiting the numbers to 3. I need it depends on the user input.

naidunath · ‎06-22-2021

Hi All

I have "Text Panel" on dashboard, which is created to filter results with "file name". So if I give single file name it is working fine. But I am looking for multiple inputs like "filename01.txt , filename02.pdf", then it should give the table output on dashboard.

Please help how can I configure or write a code for "Text Panel" to get correct results.

Thanks & Regards

Raghu

naidunath · ‎06-22-2021

Please see the screen shot "File Name", need the help on that.

How do I read comma separated inputs from a single text input box in a form?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation