Dashboards & Visualizations

How to filter multiple values in saved search using single token

harish_l
New Member

Please help me to select the multiple values from the saved search. i need to filter 2 or 3 values out of 6. this is the fieldname targetType =(name, employee, statement)

This is my search :

|inputlookup target_lookup 
| where targetType LIKE("$value$")
| makemv delim="," targetType
|table targetType

Saved search :

| savedsearch reportname $value$

This is not working for me. could you please help me to resolve the issue I will be very happy if anyone resolves this issue.

0 Karma

vinod94
Contributor

@harish_l ,

Dyude try this,

| inputlookup target_lookup 
| search 
    [| gentimes start=-1 
    | eval targetType="$targetType$" 
    | makemv targetType delim="," 
    | mvexpand targetType 
    | table targetType] | table targetType

run the savedsearch by passing multiple values

| savedsearch reportname targetType="value1,value2"
0 Karma

harish_l
New Member

@vinod94

I have tried the above query but getting only one value. I need to display 2 values

0 Karma

vinod94
Contributor

can u show the savedsearch query.? how are you running it

0 Karma

tiagofbmm
Influencer

You can do it by giving

 |inputlookup target_lookup 
 | where targetType LIKE("$value1$") OR targetType LIKE("$value2$") OR targetType LIKE("$value3$")
 | makemv delim="," targetType
 |table targetType

| savedsearch reportname value1=val1 value1=val2 value1=val3

Or just create a macro and use it in a similat way

Then just call \macro_name(value1)`,`macro_name(value2)`,`macro_name(value3)``

0 Karma

harish_l
New Member

I am getting only one value using this query. how to get the 2 or 3 values using single token

0 Karma

tiagofbmm
Influencer

can you get us a sample of your lookup and what you'd like to have as a result please ?

0 Karma

harish_l
New Member

Lookup data has only one field name with 5 values

FieldsName: targetType
Fielde Value: Count
Duration
Uptime
Down
Messgae

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...