- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Using Multiselect values in where clause
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Multiselect values in where clause
Hello,
I'm creating a dashboard right now that uses a multiselect field to filter the data loaded into a table. The issue I'm having stems from the field I want to compare the multiselect values against. I'm pulling DOMAIN_NAME from the source field in the query, and I want to limit the results of the table to only logs that contain matching DOMAIN_NAMES values.
Here is the query I'm using to populate the multiselect:
host=hostnameindex="index" "BEA" | rex field=source "(?<LOG_DIRr>[\w\W/]+)/(?<DOMAIN_NAME>[^.]+)/(?<JVM_NAME>[^.]+)/(?<LOG_NAME>[^.]+).*" | dedup DOMAIN_NAME | stats count by DOMAIN_NAME
And here is the query I'm using for the table:
host=hostname index="index" "BEA" $domain_name_dropdown$ | rex field=source "(?<LOG_DIRr>[\w\W/]+)/(?<DOMAIN_NAME>[^.]+)/(?<JVM_NAME>[^.]+)/(?<LOG_NAME>[^.]+).*"
I think this is because the DOMAIN_NAME values that I'm trying to search on haven't been captured yet in the search string.. So it's trying to search for DOMAIN_NAME in the logs (which is only in the source field) before doing the regex to actually pull the domain name out.
To combat this I tried using a where clause after the regex. This works beautifully when I only select one value in the multiselect. However, I cannot find a way to use a single where clause with multiple values.. I even tried using the prefix/suffix/delimiter values in the multiselect to build a whole where clause for each value, but that doesn't work.
Am I on the right track here or is there a better way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for the search in your table instead.
host=hostname index="index" "BEA" | rex field=source "(?<LOG_DIRr>[\w\W/]+)/(?<DOMAIN_NAME>[^.]+)/(?<JVM_NAME>[^.]+)/(?<LOG_NAME>[^.]+).*" | search $domain_name_dropdown$
You might have to put an OR in the delimiter of the multiselect.
Basically you need to filter your results of your search after you extract your DOMAIN_NAME with the regex or the search doesn't know what it is. That is assuming I am reading your question correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah you can see what it used in the search. After it returns no results just hit "open in search" in the bottom right of the panel. Try this instead.
<label>DOMAIN NAME</label>
<fieldForLabel>DOMAIN_NAME</fieldForLabel>
<fieldForValue>DOMAIN_NAME</fieldForValue>
<prefix>(DOMAIN_NAME=</prefix>
<suffix>)</suffix>
<delimiter> OR DOMAIN_NAME=</delimiter>
<choice value="*">All</choice>
<default>*</default>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you understood the question, but it doesn't look like this is working either. If I don't select a domain name in the multiselect and just use the default of *, the search returns results. However if I select one or more domain names, it doesn't return any results.
<label>DOMAIN NAME</label>
<fieldForLabel>DOMAIN_NAME</fieldForLabel>
<fieldForValue>DOMAIN_NAME</fieldForValue>
<prefix>(</prefix>
<suffix>)</suffix>
<delimiter>OR</delimiter>
<choice value="*">All</choice>
<default>*</default>
Is there any way to see the value of $domain_name_dropdown$ that is being used in the search?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
