Solved: How to generate search from dashboard input with v...

sptz16 · ‎03-08-2017

This seems to be a very simple requirement, but I'm unable to find a solution: I built a dashboard where the user enters an ip address which will then be used in a search like:

dest=$ip$

Now what I need is a way to search for 1 or more ip addresses. So, if the user enters "10.1.1.1 10.2.2.8 10.3.3.3" then the following search must be generated:

(dest=10.1.1.1 OR dest=10.2.2.8  OR dest=10.3.3.3)

Is there a way to do this?

HiroshiSatoh · ‎03-08-2017

You can edit the value of the text field with a subquery.

View solution in original post

DalJeanis · ‎03-08-2017

For an explanation of how HiroshiSatoh's answer works, see the "format" command.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults

HiroshiSatoh · ‎03-08-2017

You can edit the value of the text field with a subquery.

sptz16 · ‎03-16-2017

Ah, but now it's getting more complicated. I need to search for the address list in src AND dest fields, so I tried:

[search noop | stats count | eval src="$cidr" | eval src=split(src, " "), dest=split(src, " ") |
 table src, dest ]

But it only returns events where src matches. And this:

[search noop | stats count | eval src="$cidr",dest="$cidr"
 | eval src=split(src, " "), dest=split(dest, " ")
 | table src, dest ]

yields no results at all 😞

HiroshiSatoh · ‎03-23-2017

Please perform sub search separately.

sptz16 · ‎03-16-2017

Holy cow, works like a charm! Thanks a lot, HiroshiSatoh!

somesoni2 · ‎03-08-2017

I think you need an mvexpand command as well (after split).

HiroshiSatoh · ‎03-08-2017

I also thought so.
But just by splitting it worked fine.

How to generate search from dashboard input with variable number of values?

Exciting News: The AppDynamics Community Joins Splunk!

Buttercup Games: Further Dashboarding Techniques (Part 3)

Digital Resilience Assessment Launch | How prepared are you for disruption?