Dashboards & Visualizations

User Multiselect Token In Different Searches

tjago11
Communicator

I have a single input on a dashboard that is used in two different searches. The input is a multiselect so I'm using the valuePrefix and valueSuffix properties to format the token for the search. Something like this:

<input type="multiselect" token="hostFilter" searchWhenChanged="true">
  <label>Server</label>
  <search>
    <query>| get my list of servers</query>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </search>
  <valuePrefix>host="</valuePrefix>
  <valueSuffix>)"</valueSuffix>
  <delimiter> OR </delimiter>
  <prefix>(</prefix>
  <suffix>)</suffix>
</input>

This generates a nice OR delimited list of hosts like (host="myHost1" OR host="myHost2") that I can use in a search. Sweet!!

The problem is I want to use that same value in a different area of my dashboard but it needs to be formatted differently. Instead of an OR delimited list with a prefix/suffix, I need to pass it as a comma delimited list for use in a macro like this:
| CallTheMacro("myHost1, myHost2")

In this case the multiselect would have a completely different configuration:

<input type="multiselect" token="hostFilter" searchWhenChanged="true">
  <label>Server</label>
  <search>
    <query>| get my list of servers</query>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </search>
  <delimiter>,</delimiter>
  <prefix>"</prefix>
  <suffix>"</suffix>
</input>

I was able to get something working adding a change condition to the input and doing replaces on the generated token...it is icky and I'm hoping there is a better way:

 <input type="multiselect" token="hostFilter" searchWhenChanged="true">
   <label>Server</label>
   <search>
     <query>| get my list of servers</query>
     <earliest>-15m</earliest>
     <latest>now</latest>
   </search>
   <valuePrefix>host="</valuePrefix>
   <valueSuffix>)"</valueSuffix>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
  <change>
    <condition>
      <eval token="macroInput">
        replace('hostFilter', "host=", "")
      </eval>
      <eval token="macroInput">
        replace('macroInput', "\\"", "")
      </eval>
      <eval token="macroInput">
        replace('macroInput', " OR ", ",")
      </eval>
      <eval token="macroInput">
        replace('macroInput', "\\(", "\\"")
      </eval>
      <eval token="macroInput">
        replace('macroInput', "\\)", "\\"")
      </eval>
    </condition>
  </change>
 </input>

What is a bit cool is chaining together the replaces to simplify each step...but it is still very clunky. Any suggestions welcome, thanks.

0 Karma

rvany
Communicator

What I find interesting about this is, that Splunk docs say: <change> and <condition> are "Not available for multiselect inputs" 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...