Dashboards & Visualizations

How to input.multiselect with values from a search containing whitespaces

chris1284
Explorer

Hello,

i have added a Multiselect field to my dashboard and i am using a search to fill it with values,

One of this values is "Not tested" and if i select this value in multiselect field i do  not get search results.

All other values like "A" , "A+", "***" are working but no values whitespaces.


code for use of the nultivaluefield in search to filter a table:

 

 

 

 

| search grade IN ($ms_X9Rhybia$)

 

 

 

 

I think the reason is the handling of the multiselect field with whitespace in $ms_X9Rhybia$ (wrong detection of whitspace as delimiter for example)

Labels (1)
0 Karma

chris1284
Explorer

After using this token modifier, i can only choose one value from the multiselect field (and than it is no multiselect anymore)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, you are right, this won't work for multi-selects as it puts all the selection in one set of double quotes. You will need to do something different with how the multi-select is defined. How have you defined your multi-select? Can you share the SimpleXML in a code block </>

0 Karma

chris1284
Explorer

as i understood, the multiselect from the dashboard studio uses by default 

The only supported multiselect input delimiter is the comma use inputs and tokens to make dashboards dynamic - Splunk Documentation)

my code xml

 

"input_ian7EbEx": {
			"options": {
				"items": [
					{
						"label": "All",
						"value": "***"
					}
				],
				"defaultValue": "***",
				"token": "ms_X9Rhybia"
			},
			"title": "Search Grade",
			"type": "input.multiselect",
			"dataSources": {
				"primary": "ds_FY8oki8Y"
			}
		},

 

the search ds_FY8oki8Y retuns one column "grade" with some values

 

| fillnull value="Not tested" grade 
| fields grade 
| dedup grade
| sort + grade

 

returned values: 

1A
2A+
3A-
4B+
5C
6C+
7F
8N
9Not tested

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's not XML, that's JSON (from your event). What I was interested in was the SimpleXML from you dashboard source (where you have defined the multi-select).

Essentially, what you may need to do is define prefix, suffix and delimiter values appropriate for use in the IN function, or add a change handler to create a token in the right format for use in the IN function.

0 Karma

chris1284
Explorer

This was from my Source (Dashboard Editor -> Source [</>]

The question is how can i modify / format the input for the multiselct / IN function?

If i understand this example Multiselect - Splunk Documentation 

			"context": {
				"formattedConfig": {
					"number": {
						"prefix": ""
					}
				},
				"formattedStatics": ">statics | formatByType(formattedConfig)",
				"statics": [
					[
						"All"
					],
					[
						"*"
					]
				],
				"label": ">primary | seriesByName(\"sourcetype\") | renameSeries(\"label\") | formatByType(formattedConfig)",
				"value": ">primary | seriesByName(\"sourcetype\") | renameSeries(\"value\") | formatByType(formattedConfig)"
			}

the solution is in the "context" area.  

0 Karma

chris1284
Explorer

my workaround at this time ist to use the EVAL funtion to add a prefix and suffix to each result of the search that fills the multiselect input. for example


result from search: Red Hat Local Security Checks
manipulatet reasult: "Red Hat Local Security Checks"

 

 

| eval fam="\"".fam."\""

 

now multislect is realy only space seperated between the inputs from search (search results). only disadvantage is the optical point in the dropdown (the suffix and prefix ")

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Ah, no wonder I didn't recognise it - you are using Studio. Not something I am overly familiar with, I am afraid.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try with the |s token modifier

| search grade IN ($ms_X9Rhybia|s$)
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...