Hi,
I currently have a working report as:
`Master_Search` |eval Upper_Element = upper(Element)| rex field=Upper_Element mode=sed "s/ //g" | search(Upper_Element = "*K21A*" OR Upper_Element = "*DG23*" OR Upper_Element = "*FM23*" OR Upper_Element = "*DP14*")|
Now, I want to convert it to a dashboard with a user input where I can fetch the search values in the Input box in the dashboard:
<row>
<panel>
<input type="multiselect" searchWhenChanged="true" token="Element_t">
<label>Element in Upper case</label>
<default>K21A DG23 FM23</default>
</input>
</panel>
</row>
However, I am not certain how I can get the similar results as the above query. I tried the following approaches
1. I have tried to use the subquery
[search * | head 1 | eval Upper_Element="$Element_t$" | makemv delim=" " Upper_Element | fields Upper_Element]
Tried to use the delimiter in multi-select as
XdelimiterY " OR Upper_Element = " X/delimiterY //replace the X and Y with less than and greater than symbol
But, I am not getting the proper results. Could you please direct me to the correct path. I am really confused here.
Thanks a lot in advance for the help.
Br,
Chandra
Ok how about this I used makeresults in a subsearch to build the search and added the format to add the OR's:
<fieldset submitButton="true">
<input type="multiselect" searchWhenChanged="true" token="Element_t">
<label>Element in Upper case</label>
<choice value="*K21A* *DG23* *FM23*">K21A DG23 FM23</choice>
<default>K21A DG23 FM23</default>
<prefix>"</prefix>
<suffix>"</suffix>
<initialValue>*K21A* *DG23* *FM23*</initialValue>
<valuePrefix></valuePrefix>
<valueSuffix></valueSuffix>
<delimiter> </delimiter>
</input>
And this is the search:
<table>
<search>
<query>`Master_Search` [|makeresults |eval Element=$Element_t$ |eval Element=split(Element," ")|table Element | format "(" "" "" "" "OR" ")"]</query>
</search>
<option name="drilldown">none</option>
</table>
Keep in mind that the *'s are going to make the search slow but if these strings are in the middle of Element with no spaces before and after or special characters you will need them. I would leave the *'s out if you can. Also if these values need to be found in any part of the row not just in the Element you can change the Element to search:
<table>
<search>
<query>`Master_Search` [|makeresults |eval search=$Element_t$ |eval search=split(search," ")|table search | format "(" "" "" "" "OR" ")"]</query>
</search>
<option name="drilldown">none</option>
</table>
Hope this helps you.
Ok how about this I used makeresults in a subsearch to build the search and added the format to add the OR's:
<fieldset submitButton="true">
<input type="multiselect" searchWhenChanged="true" token="Element_t">
<label>Element in Upper case</label>
<choice value="*K21A* *DG23* *FM23*">K21A DG23 FM23</choice>
<default>K21A DG23 FM23</default>
<prefix>"</prefix>
<suffix>"</suffix>
<initialValue>*K21A* *DG23* *FM23*</initialValue>
<valuePrefix></valuePrefix>
<valueSuffix></valueSuffix>
<delimiter> </delimiter>
</input>
And this is the search:
<table>
<search>
<query>`Master_Search` [|makeresults |eval Element=$Element_t$ |eval Element=split(Element," ")|table Element | format "(" "" "" "" "OR" ")"]</query>
</search>
<option name="drilldown">none</option>
</table>
Keep in mind that the *'s are going to make the search slow but if these strings are in the middle of Element with no spaces before and after or special characters you will need them. I would leave the *'s out if you can. Also if these values need to be found in any part of the row not just in the Element you can change the Element to search:
<table>
<search>
<query>`Master_Search` [|makeresults |eval search=$Element_t$ |eval search=split(search," ")|table search | format "(" "" "" "" "OR" ")"]</query>
</search>
<option name="drilldown">none</option>
</table>
Hope this helps you.
Let me check it with my existing query. However, you already taught me a lot with these functionalities 🙂
I have remembered a lot of things that I forgot 🙂
Here is a good answer on the format function does a good job explaining it:
https://answers.splunk.com/answers/351834/how-can-i-use-a-search-results-table-to-power-anot.html
Searching is generally case insensitive, so do you need to do all that changing to upper and creating a new field? I was able to do something like this below with the multiselect and just add it to my search with the Prefix/Suffix in the multiselect options. Also see the examples dashboard, they give a good example on how to use the multiselect.
<input type="multiselect" searchWhenChanged="true" token="Element_t">
<label>Element in Upper case</label>
<choice value="K21A">K21A</choice>
<choice value="DG23">DG23</choice>
<choice value="FM23">FM23</choice>
<default>K21A,DG23,FM23</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>K21A,DG23,FM23</initialValue>
<valuePrefix>Element="*</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
</input>
.
.
.
<row>
<panel>
<table>
<search>
<query>`Master_Search` $Element_t$ |</query>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
Thanks for the prefix and suffix information. In my index, there are more then 100000+ elements with 64 columns dependent on them. The user wants to give the element name as a single string with space in between. I need to first extract all Elements separately and then make a search with OR.