Solved: How to filter events based on comma deilmeter?

Naren26 · ‎11-22-2017

I have to filter the events by matching against the comma separated values. For example,
I have an input text box field. If I type 123, 231, 356, I have to filter the events by matching against the comma separated fields.

It should be ('123' OR '231' OR '356'). I have tried assigning the exact string to the searchmatch() function. But seems like it ANDing the values instead of OR. Following is my query:

<dashboard>
  <label>Filter Dashboard</label>
  <fieldset submitButton="false" autoRun="true">    
    <input type="text" token="filter_tok" searchWhenChanged="true">
      <label>Filter</label>
      <initialValue>*</initialValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>My Panel</title>
      <event>
        <search>
          <query>index=* | where searchmatch("$filter_tok$") </query>
          <earliest>-30m@m</earliest>
          <latest>now</latest>         
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">5</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>

How to achieve this? Please suggest.

kamlesh_vaghela · ‎11-22-2017

HI

Can you please try this?

<dashboard>
   <label>Filter Dashboard</label>
   <fieldset submitButton="false" autoRun="true">    
     <input type="text" token="filter_tok" searchWhenChanged="true">
       <label>Filter</label>
       <initialValue>*</initialValue>
       <default>*</default>
     </input>
   </fieldset>
   <search>
           <query>| makeresults | eval value="$filter_tok$" | makemv delim="," value | mvexpand value | stats delim=" OR " values(value) as value | mvcombine value </query>
           <done>
             <set token="myToken">$result.value$</set>
           </done>
   </search>
   <row>
     <panel>
       <title>My Panel $myToken$</title>
       <event>
         <search>
           <query>index=* | where searchmatch("$myToken$") </query>
           <earliest>-30m@m</earliest>
           <latest>now</latest>         
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="count">5</option>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="rowNumbers">0</option>
         <option name="table.drilldown">all</option>
         <option name="table.sortDirection">asc</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
       </event>
     </panel>
   </row>
 </dashboard>

Thanks

View solution in original post

kamlesh_vaghela · ‎11-22-2017

HI

Can you please try this?

<dashboard>
   <label>Filter Dashboard</label>
   <fieldset submitButton="false" autoRun="true">    
     <input type="text" token="filter_tok" searchWhenChanged="true">
       <label>Filter</label>
       <initialValue>*</initialValue>
       <default>*</default>
     </input>
   </fieldset>
   <search>
           <query>| makeresults | eval value="$filter_tok$" | makemv delim="," value | mvexpand value | stats delim=" OR " values(value) as value | mvcombine value </query>
           <done>
             <set token="myToken">$result.value$</set>
           </done>
   </search>
   <row>
     <panel>
       <title>My Panel $myToken$</title>
       <event>
         <search>
           <query>index=* | where searchmatch("$myToken$") </query>
           <earliest>-30m@m</earliest>
           <latest>now</latest>         
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="count">5</option>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="rowNumbers">0</option>
         <option name="table.drilldown">all</option>
         <option name="table.sortDirection">asc</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
       </event>
     </panel>
   </row>
 </dashboard>

Thanks

Naren26 · ‎11-22-2017

Excellent. Worked perfectly fine. Thanks a lot @kamlesh_vaghela

hardikJsheth · ‎11-22-2017

Try with IN clause.

i.e Following query only prints events from two hosts as mentioned in the IN clause.

index=main  host IN ("CDSLMAC02.local","127.0.0.1")

Naren26 · ‎11-22-2017

@hardikJsheth I need to perform a random search. Not specified to any field

hardikJsheth · ‎11-22-2017

@Naren26, I got it.

The best solution would be to replace coma with OR from token in java script .

i.e index=main "CDSLMAC02.local" OR "127.0.0.1"

How to filter events based on comma deilmeter?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation