Solved: Re: How to extract table records with multi-select

kobayashines · ‎10-29-2019

Hello. I am Japanese. Please allow posting using google translation.

The following sources are created. This source works just by copying and pasting.

<form theme="light">
  <label>FilterTest</label>
  <search id="baseSearch">
    <query>
      | stats count
      | eval _raw="col1, col2, col3
         aaa,bbb,ccc
         ddd,eee,fff
         ggg,hhh,iii"
      | multikv forceheader=1
    </query>
  </search>
  <row>
    <panel>
      <input type="multiselect" token="TableValues">
      <label>TargetValues</label>
      <choice value="*">*</choice>
      <fieldForLabel>valueList</fieldForLabel>
      <fieldForValue>valueList</fieldForValue>
      <search base="baseSearch">
        <query>
          | stats values(col3) as valueList | mvexpand valueList
        </query>
      </search>
      <choice value="*">*</choice>
      <prefix>''</prefix>
    </input>
      <table>
        <search base="baseSearch">
          <query>
             | table col1 col2 col3
           </query>
        </search>
      </table>
    </panel>
  </row>
</form>

When you do this, the table is created as follows:
In addition, the text box lists the value of col3.

col1 col2 col3
aaa bbb ccc
ddd eee fff
ggg hhh iii

◆What i want to do
I want to select "ccc" and "iii" from the text box and extract the records containing this from col3.

How can I do that?

renjith_nair · ‎10-29-2019

@kobayashines ,

Try

<form>
  <label>FilterTest</label>
  <search id="baseSearch">
    <query>| stats count
       | eval _raw="col1, col2, col3
          aaa,bbb,ccc
          ddd,eee,fff
          ggg,hhh,iii"
       | multikv forceheader=1</query>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="multiselect" token="TableValues">
        <label>TargetValues</label>
        <choice value="*">*</choice>
        <fieldForLabel>valueList</fieldForLabel>
        <fieldForValue>valueList</fieldForValue>
        <search base="baseSearch">
          <query>| stats values(col3) as valueList | mvexpand valueList</query>
        </search>
        <valuePrefix>col3="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>  OR </delimiter>
        <prefix>(</prefix>
        <suffix>)</suffix>
        <default>*</default>
        <initialValue>*</initialValue>
      </input>
      <table>
        <search base="baseSearch">
          <query>|search $TableValues$| table col1 col2 col3</query>
        </search>
      </table>
    </panel>
  </row>
</form>

Happy Splunking!

View solution in original post

renjith_nair · ‎10-29-2019

@kobayashines ,

Try

<form>
  <label>FilterTest</label>
  <search id="baseSearch">
    <query>| stats count
       | eval _raw="col1, col2, col3
          aaa,bbb,ccc
          ddd,eee,fff
          ggg,hhh,iii"
       | multikv forceheader=1</query>
  </search>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="multiselect" token="TableValues">
        <label>TargetValues</label>
        <choice value="*">*</choice>
        <fieldForLabel>valueList</fieldForLabel>
        <fieldForValue>valueList</fieldForValue>
        <search base="baseSearch">
          <query>| stats values(col3) as valueList | mvexpand valueList</query>
        </search>
        <valuePrefix>col3="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>  OR </delimiter>
        <prefix>(</prefix>
        <suffix>)</suffix>
        <default>*</default>
        <initialValue>*</initialValue>
      </input>
      <table>
        <search base="baseSearch">
          <query>|search $TableValues$| table col1 col2 col3</query>
        </search>
      </table>
    </panel>
  </row>
</form>

Happy Splunking!

kobayashines · ‎10-29-2019

That is exactly what I wanted to do.
Thank you for the best answer!

How to extract table records with multi-select

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!