Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- User Multiselect Token In Different Searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
User Multiselect Token In Different Searches
I have a single input on a dashboard that is used in two different searches. The input is a multiselect so I'm using the valuePrefix and valueSuffix properties to format the token for the search. Something like this:
<input type="multiselect" token="hostFilter" searchWhenChanged="true">
<label>Server</label>
<search>
<query>| get my list of servers</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<valuePrefix>host="</valuePrefix>
<valueSuffix>)"</valueSuffix>
<delimiter> OR </delimiter>
<prefix>(</prefix>
<suffix>)</suffix>
</input>
This generates a nice OR delimited list of hosts like (host="myHost1" OR host="myHost2") that I can use in a search. Sweet!!
The problem is I want to use that same value in a different area of my dashboard but it needs to be formatted differently. Instead of an OR delimited list with a prefix/suffix, I need to pass it as a comma delimited list for use in a macro like this:
| CallTheMacro("myHost1, myHost2")
In this case the multiselect would have a completely different configuration:
<input type="multiselect" token="hostFilter" searchWhenChanged="true">
<label>Server</label>
<search>
<query>| get my list of servers</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>,</delimiter>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
I was able to get something working adding a change condition to the input and doing replaces on the generated token...it is icky and I'm hoping there is a better way:
<input type="multiselect" token="hostFilter" searchWhenChanged="true">
<label>Server</label>
<search>
<query>| get my list of servers</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<valuePrefix>host="</valuePrefix>
<valueSuffix>)"</valueSuffix>
<delimiter> OR </delimiter>
<prefix>(</prefix>
<suffix>)</suffix>
<change>
<condition>
<eval token="macroInput">
replace('hostFilter', "host=", "")
</eval>
<eval token="macroInput">
replace('macroInput', "\\"", "")
</eval>
<eval token="macroInput">
replace('macroInput', " OR ", ",")
</eval>
<eval token="macroInput">
replace('macroInput', "\\(", "\\"")
</eval>
<eval token="macroInput">
replace('macroInput', "\\)", "\\"")
</eval>
</condition>
</change>
</input>
What is a bit cool is chaining together the replaces to simplify each step...but it is still very clunky. Any suggestions welcome, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I find interesting about this is, that Splunk docs say: <change> and <condition> are "Not available for multiselect inputs" 😉
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
