Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to input.multiselect with values from a search containing whitespaces

chris1284
Explorer
‎01-27-2022 06:27 AM

Hello,

i have added a Multiselect field to my dashboard and i am using a search to fill it with values,

One of this values is "Not tested" and if i select this value in multiselect field i do  not get search results.

All other values like "A" , "A+", "***" are working but no values whitespaces.


code for use of the nultivaluefield in search to filter a table:

 

 

 

 

| search grade IN ($ms_X9Rhybia$)

 

 

 

 

I think the reason is the handling of the multiselect field with whitespace in $ms_X9Rhybia$ (wrong detection of whitspace as delimiter for example)

0 Karma
Reply

chris1284
Explorer
‎01-28-2022 12:39 AM

After using this token modifier, i can only choose one value from the multiselect field (and than it is no multiselect anymore)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-28-2022 12:53 AM

Sorry, you are right, this won't work for multi-selects as it puts all the selection in one set of double quotes. You will need to do something different with how the multi-select is defined. How have you defined your multi-select? Can you share the SimpleXML in a code block </>

0 Karma
Reply

chris1284
Explorer
‎01-28-2022 05:39 AM

as i understood, the multiselect from the dashboard studio uses by default 

The only supported multiselect input delimiter is the comma use inputs and tokens to make dashboards dynamic - Splunk Documentation)

my code xml

 

"input_ian7EbEx": {
			"options": {
				"items": [
					{
						"label": "All",
						"value": "***"
					}
				],
				"defaultValue": "***",
				"token": "ms_X9Rhybia"
			},
			"title": "Search Grade",
			"type": "input.multiselect",
			"dataSources": {
				"primary": "ds_FY8oki8Y"
			}
		},

 

the search ds_FY8oki8Y retuns one column "grade" with some values

 

| fillnull value="Not tested" grade 
| fields grade 
| dedup grade
| sort + grade

 

returned values: 

1A
2A+
3A-
4B+
5C
6C+
7F
8N
9Not tested

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-28-2022 06:01 AM

That's not XML, that's JSON (from your event). What I was interested in was the SimpleXML from you dashboard source (where you have defined the multi-select).

Essentially, what you may need to do is define prefix, suffix and delimiter values appropriate for use in the IN function, or add a change handler to create a token in the right format for use in the IN function.

0 Karma
Reply

chris1284
Explorer
‎06-14-2022 04:59 AM

This was from my Source (Dashboard Editor -> Source [</>]

The question is how can i modify / format the input for the multiselct / IN function?

If i understand this example Multiselect - Splunk Documentation 

			"context": {
				"formattedConfig": {
					"number": {
						"prefix": ""
					}
				},
				"formattedStatics": ">statics | formatByType(formattedConfig)",
				"statics": [
					[
						"All"
					],
					[
						"*"
					]
				],
				"label": ">primary | seriesByName(\"sourcetype\") | renameSeries(\"label\") | formatByType(formattedConfig)",
				"value": ">primary | seriesByName(\"sourcetype\") | renameSeries(\"value\") | formatByType(formattedConfig)"
			}

the solution is in the "context" area.  

0 Karma
Reply

chris1284
Explorer
‎06-14-2022 05:38 AM

my workaround at this time ist to use the EVAL funtion to add a prefix and suffix to each result of the search that fills the multiselect input. for example


result from search: Red Hat Local Security Checks
manipulatet reasult: "Red Hat Local Security Checks"

 

 

| eval fam="\"".fam."\""

 

now multislect is realy only space seperated between the inputs from search (search results). only disadvantage is the optical point in the dropdown (the suffix and prefix ")

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-14-2022 05:31 AM

Ah, no wonder I didn't recognise it - you are using Studio. Not something I am overly familiar with, I am afraid.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-27-2022 06:43 AM

Try with the |s token modifier

| search grade IN ($ms_X9Rhybia|s$)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...