Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you search a field with multiple values from an Input BOX?

Chandras11
Communicator
‎11-12-2018 10:30 AM

Hi,

I currently have a working report as:

`Master_Search`  |eval Upper_Element = upper(Element)| rex field=Upper_Element mode=sed "s/ //g"  | search(Upper_Element = "*K21A*" OR Upper_Element = "*DG23*" OR Upper_Element = "*FM23*"  OR Upper_Element = "*DP14*")|

Now, I want to convert it to a dashboard with a user input where I can fetch the search values in the Input box in the dashboard: 

<row>
    <panel>
       <input type="multiselect" searchWhenChanged="true" token="Element_t">
        <label>Element in Upper case</label>
        <default>K21A DG23 FM23</default>
      </input>
    </panel>
  </row>

However, I am not certain how I can get the similar results as the above query. I tried the following approaches
1. I have tried to use the subquery

[search * | head 1 | eval Upper_Element="$Element_t$" | makemv delim=" " Upper_Element | fields Upper_Element]

  1. Tried to use the delimiter in multi-select as

    XdelimiterY " OR Upper_Element = " X/delimiterY //replace the X and Y with less than and greater than symbol
    But, I am not getting the proper results. Could you please direct me to the correct path. I am really confused here.

Thanks a lot in advance for the help.

Br,
Chandra

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bkirk
Path Finder
‎11-13-2018 06:20 AM

Ok how about this I used makeresults in a subsearch to build the search and added the format to add the OR's:

  <fieldset submitButton="true">
    <input type="multiselect" searchWhenChanged="true" token="Element_t">
      <label>Element in Upper case</label>
      <choice value="*K21A* *DG23* *FM23*">K21A DG23 FM23</choice>
      <default>K21A DG23 FM23</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <initialValue>*K21A* *DG23* *FM23*</initialValue>
      <valuePrefix></valuePrefix>
      <valueSuffix></valueSuffix>
      <delimiter> </delimiter>
    </input>

And this is the search:

      <table>
        <search>
          <query>`Master_Search` [|makeresults |eval Element=$Element_t$ |eval Element=split(Element," ")|table Element | format "(" "" "" "" "OR" ")"]</query>
        </search>
        <option name="drilldown">none</option>
      </table>

Keep in mind that the *'s are going to make the search slow but if these strings are in the middle of Element with no spaces before and after or special characters you will need them. I would leave the *'s out if you can. Also if these values need to be found in any part of the row not just in the Element you can change the Element to search:

      <table>
        <search>
          <query>`Master_Search` [|makeresults |eval search=$Element_t$ |eval search=split(search," ")|table search | format "(" "" "" "" "OR" ")"]</query>
        </search>
        <option name="drilldown">none</option>
      </table>

Hope this helps you.

View solution in original post

Reply
Solved! Jump to solution
Solution

bkirk
Path Finder
‎11-13-2018 06:20 AM

Ok how about this I used makeresults in a subsearch to build the search and added the format to add the OR's:

  <fieldset submitButton="true">
    <input type="multiselect" searchWhenChanged="true" token="Element_t">
      <label>Element in Upper case</label>
      <choice value="*K21A* *DG23* *FM23*">K21A DG23 FM23</choice>
      <default>K21A DG23 FM23</default>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <initialValue>*K21A* *DG23* *FM23*</initialValue>
      <valuePrefix></valuePrefix>
      <valueSuffix></valueSuffix>
      <delimiter> </delimiter>
    </input>

And this is the search:

      <table>
        <search>
          <query>`Master_Search` [|makeresults |eval Element=$Element_t$ |eval Element=split(Element," ")|table Element | format "(" "" "" "" "OR" ")"]</query>
        </search>
        <option name="drilldown">none</option>
      </table>

Keep in mind that the *'s are going to make the search slow but if these strings are in the middle of Element with no spaces before and after or special characters you will need them. I would leave the *'s out if you can. Also if these values need to be found in any part of the row not just in the Element you can change the Element to search:

      <table>
        <search>
          <query>`Master_Search` [|makeresults |eval search=$Element_t$ |eval search=split(search," ")|table search | format "(" "" "" "" "OR" ")"]</query>
        </search>
        <option name="drilldown">none</option>
      </table>

Hope this helps you.

Reply
Solved! Jump to solution

Chandras11
Communicator
‎11-13-2018 06:31 AM

Let me check it with my existing query. However, you already taught me a lot with these functionalities 🙂

0 Karma
Reply
Solved! Jump to solution

bkirk
Path Finder
‎11-13-2018 06:48 AM

I have remembered a lot of things that I forgot 🙂

Here is a good answer on the format function does a good job explaining it:
https://answers.splunk.com/answers/351834/how-can-i-use-a-search-results-table-to-power-anot.html

0 Karma
Reply
Solved! Jump to solution

bkirk
Path Finder
‎11-12-2018 01:00 PM

Searching is generally case insensitive, so do you need to do all that changing to upper and creating a new field? I was able to do something like this below with the multiselect and just add it to my search with the Prefix/Suffix in the multiselect options. Also see the examples dashboard, they give a good example on how to use the multiselect.

    <input type="multiselect" searchWhenChanged="true" token="Element_t">
      <label>Element in Upper case</label>
      <choice value="K21A">K21A</choice>
      <choice value="DG23">DG23</choice>
      <choice value="FM23">FM23</choice>
      <default>K21A,DG23,FM23</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <initialValue>K21A,DG23,FM23</initialValue>
      <valuePrefix>Element="*</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>

.
.
.

  <row>
    <panel>
      <table>
        <search>
          <query>`Master_Search` $Element_t$ |</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
Reply
Solved! Jump to solution

Chandras11
Communicator
‎11-12-2018 10:57 PM

Thanks for the prefix and suffix information. In my index, there are more then 100000+ elements with 64 columns dependent on them. The user wants to give the element name as a single string with space in between. I need to first extract all Elements separately and then make a search with OR.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...