Solved: Re: Multiselect and input field with any field

Stopplis · ‎06-27-2024

Hello,

I have a dashboard with multiselection + text input field.

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokselect">
      <label>Field</label>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>| makeresults</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>

Everything is working properly, so if I add something in the input 'Value' field then select an option from the multiselect tab 'Field' the search is looking for e.g. category="something" OR severity="something".
I need help to build a plus multiselect option which is able to search for the string value defined in the text field anywhere in the event.

I can imagine like this:

If I select the 'Group' and type 'something' into the input field, the search is looking for category="something", but if I select the 'Any Field' and type 'something' into the input field, the search is looking for only "something".

Could you please help to modify this dashboard in this direction?

Thank you so much in advance!

ITWhisperer · ‎06-27-2024

First you need to add the "Any field" choice. Then you need to reset the form token depending on whether the last choice has been removed (use default value), whether "Any field" has been added after another selection (make "Any field" the only selection), whether another selection has been made after "Any field" (remove "Any field" from the selection, otherwise leave the form token as is. Then you need to reset the token if the form token is "Any field" (so that it just contains "REPLACE". Now, the existing setting of the filter token can replace "REPLACE" with the value from the text input:

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokselect">
      <label>Field</label>
      <choice value="Any field">Any field</choice>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval>
        <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>| makeresults</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>

View solution in original post

ITWhisperer · ‎06-27-2024

First you need to add the "Any field" choice. Then you need to reset the form token depending on whether the last choice has been removed (use default value), whether "Any field" has been added after another selection (make "Any field" the only selection), whether another selection has been made after "Any field" (remove "Any field" from the selection, otherwise leave the form token as is. Then you need to reset the token if the form token is "Any field" (so that it just contains "REPLACE". Now, the existing setting of the filter token can replace "REPLACE" with the value from the text input:

<form version="1.1" theme="light">
  <label>Multiselect Text</label>
  <init>
    <set token="toktext">*</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokselect">
      <label>Field</label>
      <choice value="Any field">Any field</choice>
      <choice value="category">Group</choice>
      <choice value="severity">Severity</choice>
      <default>category</default>
      <valueSuffix>=REPLACE</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval>
        <eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
    <input type="text" token="toktext">
      <label>Value</label>
      <default>*</default>
      <change>
        <eval token="tokfilter">replace($tokselect$,"REPLACE","\"".$toktext$."\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>$tokfilter$</title>
        <search>
          <query>| makeresults</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </event>
    </panel>
  </row>
</form>

Stopplis · ‎06-27-2024

Thank you, that's what I thought.

Small question about this part:

<eval token="form.tokselect">case(mvcount('form.tokselect')=0,"category",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")&gt;0,"Any field",mvcount('form.tokselect')&gt;1 AND mvfind('form.tokselect',"Any field")=0,mvfilter('form.select'!="Any field"),1==1,'form.tokselect')</eval>
<eval token="tokselect">if('form.tokselect'="Any field","REPLACE",'tokselect')</eval>

If I want to modify the value of the fields at here:

<choice value="Any field">Any field</choice>
<choice value="category">Group</choice>

Should I modify these values in the above code as well?

So e.g. if I want the category value to be group. I have to modify the 'category' to 'group' at this part like this:

<eval token="form.tokselect">case(mvcount('form.tokselect')=0,"group",mvcount

Am I correct?

ITWhisperer · ‎06-27-2024

Essentially, yes. The value set when the multi-select is emptied should be the default value you configured. If you are changing the default from category to group, then it needs to change in the case function too.

Multiselect and input field with any field

token

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today