How to input.multiselect with values from a search...

chris1284 · ‎01-27-2022

Hello,

i have added a Multiselect field to my dashboard and i am using a search to fill it with values,

One of this values is "Not tested" and if i select this value in multiselect field i do not get search results.

All other values like "A" , "A+", "***" are working but no values whitespaces.

code for use of the nultivaluefield in search to filter a table:

| search grade IN ($ms_X9Rhybia$)

I think the reason is the handling of the multiselect field with whitespace in $ms_X9Rhybia$ (wrong detection of whitspace as delimiter for example)

chris1284 · ‎01-28-2022

After using this token modifier, i can only choose one value from the multiselect field (and than it is no multiselect anymore)

ITWhisperer · ‎01-28-2022

Sorry, you are right, this won't work for multi-selects as it puts all the selection in one set of double quotes. You will need to do something different with how the multi-select is defined. How have you defined your multi-select? Can you share the SimpleXML in a code block </>

chris1284 · ‎01-28-2022

as i understood, the multiselect from the dashboard studio uses by default

The only supported multiselect input delimiter is the comma use inputs and tokens to make dashboards dynamic - Splunk Documentation)

my code xml

"input_ian7EbEx": {
			"options": {
				"items": [
					{
						"label": "All",
						"value": "***"
					}
				],
				"defaultValue": "***",
				"token": "ms_X9Rhybia"
			},
			"title": "Search Grade",
			"type": "input.multiselect",
			"dataSources": {
				"primary": "ds_FY8oki8Y"
			}
		},

the search ds_FY8oki8Y retuns one column "grade" with some values

| fillnull value="Not tested" grade 
| fields grade 
| dedup grade
| sort + grade

returned values:

1	A
2	A+
3	A-
4	B+
5	C
6	C+
7	F
8	N
9	Not tested

ITWhisperer · ‎01-28-2022

That's not XML, that's JSON (from your event). What I was interested in was the SimpleXML from you dashboard source (where you have defined the multi-select).

Essentially, what you may need to do is define prefix, suffix and delimiter values appropriate for use in the IN function, or add a change handler to create a token in the right format for use in the IN function.

chris1284 · ‎06-14-2022

This was from my Source (Dashboard Editor -> Source [</>]

The question is how can i modify / format the input for the multiselct / IN function?

If i understand this example Multiselect - Splunk Documentation

			"context": {
				"formattedConfig": {
					"number": {
						"prefix": ""
					}
				},
				"formattedStatics": ">statics | formatByType(formattedConfig)",
				"statics": [
					[
						"All"
					],
					[
						"*"
					]
				],
				"label": ">primary | seriesByName(\"sourcetype\") | renameSeries(\"label\") | formatByType(formattedConfig)",
				"value": ">primary | seriesByName(\"sourcetype\") | renameSeries(\"value\") | formatByType(formattedConfig)"
			}

the solution is in the "context" area.

chris1284 · ‎06-14-2022

my workaround at this time ist to use the EVAL funtion to add a prefix and suffix to each result of the search that fills the multiselect input. for example

result from search: Red Hat Local Security Checks
manipulatet reasult: "Red Hat Local Security Checks"

| eval fam="\"".fam."\""

now multislect is realy only space seperated between the inputs from search (search results). only disadvantage is the optical point in the dropdown (the suffix and prefix ")

ITWhisperer · ‎06-14-2022

Ah, no wonder I didn't recognise it - you are using Studio. Not something I am overly familiar with, I am afraid.

ITWhisperer · ‎01-27-2022

Try with the |s token modifier

| search grade IN ($ms_X9Rhybia|s$)

How to input.multiselect with values from a search containing whitespaces

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!