Solved: How to generate search from dashboard input with v...

sptz16 · ‎03-08-2017

This seems to be a very simple requirement, but I'm unable to find a solution: I built a dashboard where the user enters an ip address which will then be used in a search like:

dest=$ip$

Now what I need is a way to search for 1 or more ip addresses. So, if the user enters "10.1.1.1 10.2.2.8 10.3.3.3" then the following search must be generated:

(dest=10.1.1.1 OR dest=10.2.2.8  OR dest=10.3.3.3)

Is there a way to do this?

HiroshiSatoh · ‎03-08-2017

You can edit the value of the text field with a subquery.

View solution in original post

DalJeanis · ‎03-08-2017

For an explanation of how HiroshiSatoh's answer works, see the "format" command.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults

HiroshiSatoh · ‎03-08-2017

You can edit the value of the text field with a subquery.

sptz16 · ‎03-16-2017

Ah, but now it's getting more complicated. I need to search for the address list in src AND dest fields, so I tried:

[search noop | stats count | eval src="$cidr" | eval src=split(src, " "), dest=split(src, " ") |
 table src, dest ]

But it only returns events where src matches. And this:

[search noop | stats count | eval src="$cidr",dest="$cidr"
 | eval src=split(src, " "), dest=split(dest, " ")
 | table src, dest ]

yields no results at all 😞

HiroshiSatoh · ‎03-23-2017

Please perform sub search separately.

sptz16 · ‎03-16-2017

Holy cow, works like a charm! Thanks a lot, HiroshiSatoh!

somesoni2 · ‎03-08-2017

I think you need an mvexpand command as well (after split).

HiroshiSatoh · ‎03-08-2017

I also thought so.
But just by splitting it worked fine.

How to generate search from dashboard input with variable number of values?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?