Solved: Re: Using a range of numbers as input for a token

ryan_mercer · ‎04-13-2021

I'm trying to determine how to allow users to enter a range of values as an input on a dashboard, and assign as a token

Example: 1470-1493; 3019; 4267 (allowing ranges delineated by '-' and values delineated by ';'

Would like extract the values and use them with the IN command

index=blah sourcetype="blah" host=1.2.3.4 Skill IN (1470 1471 463 1472 1473 1482 1483 1484 1485 1490....

Any help is greatly appreaciated!

maciep · ‎04-14-2021

I think using the mvrange function will come in handy here. Assuming that you call the token for that input $skills$, then i think something like this should work. This would be a search element in your dashboard - which you would then set a new token value to the nums field this creates.

This will essentially split the input by semicolon, then put each of those in their own events, determine the start/end values for each of them, create all of the numbers with mvrange and then put the whole thing back together to be used with the IN operator.

Not tested at all with a dashboard, but hopefully gets you to where you're trying to go.

| stats count
| input = split($skills$,";")
| mvexpand input
| eval input = split(trim(input),"-")
| eval start = if(mvcount(input)=2,mvindex(input,0),input), end = if(mvcount(input)=2,mvindex(input,1),input)
| eval nums = mvrange(start,end+1)
| fields nums
| mvexpand nums
| mvcombine nums
| eval nums = "(" + mvjoin(nums,",") + ")"

View solution in original post

maciep · ‎04-14-2021

I think using the mvrange function will come in handy here. Assuming that you call the token for that input $skills$, then i think something like this should work. This would be a search element in your dashboard - which you would then set a new token value to the nums field this creates.

This will essentially split the input by semicolon, then put each of those in their own events, determine the start/end values for each of them, create all of the numbers with mvrange and then put the whole thing back together to be used with the IN operator.

Not tested at all with a dashboard, but hopefully gets you to where you're trying to go.

| stats count
| input = split($skills$,";")
| mvexpand input
| eval input = split(trim(input),"-")
| eval start = if(mvcount(input)=2,mvindex(input,0),input), end = if(mvcount(input)=2,mvindex(input,1),input)
| eval nums = mvrange(start,end+1)
| fields nums
| mvexpand nums
| mvcombine nums
| eval nums = "(" + mvjoin(nums,",") + ")"

ryan_mercer · ‎04-28-2021

Ok, finally got back to giving this a shot. Great news is that the logic works, but now I'm trying to figure out how set a token with the extracted value to be used with the IN operator.

How can I take the value of 'nums' and set a token with those results?

Thanks!

maciep · ‎04-28-2021

I think you should be able to set it in your search element during the finalized (or done or whatever) phase. In the splunk docs, these options can be found under "search event handlers" or something like that. So pseudo'ish dashboard xml might look like this.

<search>
  <query> 
      . that 
      . long
      . search
  </query>
  <finalized>
     <set token="skill_list">$result.nums$</set>
  </finalized>
</search>
.
.
.
<row>
  <panel>
    <table>
       <search>
          <query>index=whatever AND skill IN $skill_list$ .... </query>
        </search>
     </table>
   </panel>
</row>

ryan_mercer · ‎04-28-2021

Great, thanks. Will give it a shot and let you know.

ryan_mercer · ‎04-15-2021

Thanks! Will give it a try.

Marco · ‎04-13-2021

@ryan_mercer if you are trying to accept Input From a user this guy has some really good examples on how to do that.

https://github.com/JasonConger/SplunkConf18

I was able to make something like this from his examples. Not sure if this is what you're going for.

-Marco

ryan_mercer · ‎04-15-2021

Will check it out, thanks!

Using a range of numbers as input for a token

token

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM