Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to extract table records with multi-select
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kobayashines
New Member
10-29-2019
08:41 PM
Hello. I am Japanese. Please allow posting using google translation.
The following sources are created. This source works just by copying and pasting.
<form theme="light">
<label>FilterTest</label>
<search id="baseSearch">
<query>
| stats count
| eval _raw="col1, col2, col3
aaa,bbb,ccc
ddd,eee,fff
ggg,hhh,iii"
| multikv forceheader=1
</query>
</search>
<row>
<panel>
<input type="multiselect" token="TableValues">
<label>TargetValues</label>
<choice value="*">*</choice>
<fieldForLabel>valueList</fieldForLabel>
<fieldForValue>valueList</fieldForValue>
<search base="baseSearch">
<query>
| stats values(col3) as valueList | mvexpand valueList
</query>
</search>
<choice value="*">*</choice>
<prefix>''</prefix>
</input>
<table>
<search base="baseSearch">
<query>
| table col1 col2 col3
</query>
</search>
</table>
</panel>
</row>
</form>
When you do this, the table is created as follows:
In addition, the text box lists the value of col3.
col1 col2 col3
aaa bbb ccc
ddd eee fff
ggg hhh iii
◆What i want to do
I want to select "ccc" and "iii" from the text box and extract the records containing this from col3.
How can I do that?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
10-29-2019
10:17 PM
@kobayashines ,
Try
<form>
<label>FilterTest</label>
<search id="baseSearch">
<query>| stats count
| eval _raw="col1, col2, col3
aaa,bbb,ccc
ddd,eee,fff
ggg,hhh,iii"
| multikv forceheader=1</query>
</search>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="multiselect" token="TableValues">
<label>TargetValues</label>
<choice value="*">*</choice>
<fieldForLabel>valueList</fieldForLabel>
<fieldForValue>valueList</fieldForValue>
<search base="baseSearch">
<query>| stats values(col3) as valueList | mvexpand valueList</query>
</search>
<valuePrefix>col3="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<prefix>(</prefix>
<suffix>)</suffix>
<default>*</default>
<initialValue>*</initialValue>
</input>
<table>
<search base="baseSearch">
<query>|search $TableValues$| table col1 col2 col3</query>
</search>
</table>
</panel>
</row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
10-29-2019
10:17 PM
@kobayashines ,
Try
<form>
<label>FilterTest</label>
<search id="baseSearch">
<query>| stats count
| eval _raw="col1, col2, col3
aaa,bbb,ccc
ddd,eee,fff
ggg,hhh,iii"
| multikv forceheader=1</query>
</search>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="multiselect" token="TableValues">
<label>TargetValues</label>
<choice value="*">*</choice>
<fieldForLabel>valueList</fieldForLabel>
<fieldForValue>valueList</fieldForValue>
<search base="baseSearch">
<query>| stats values(col3) as valueList | mvexpand valueList</query>
</search>
<valuePrefix>col3="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<prefix>(</prefix>
<suffix>)</suffix>
<default>*</default>
<initialValue>*</initialValue>
</input>
<table>
<search base="baseSearch">
<query>|search $TableValues$| table col1 col2 col3</query>
</search>
</table>
</panel>
</row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kobayashines
New Member
10-29-2019
10:36 PM
That is exactly what I wanted to do.
Thank you for the best answer!
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
