Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

multiselect and foreach

astatrial
Contributor
‎03-26-2019 08:10 AM

Hello !
I have a dashboard with two inputs fields, one drilldown and the other is multiselect.
I am trying to get values from multiselect input and run a search on them.

The search will take every value from the multiselect and will insert, to an existing lookup, a row with the value and the drilldown token's value.

For example:
Multi select Token = Field1, Field2, Field3
drilldown Token = old
After clicking submit this will be the lookup:

alt text

Those rows should replace every other row which existed in the lookup before and had the drilldown value.

I managed to do it for a single valued token but not for multiselect token: 

| makeresults 
| eval Column1="$single$" , Column2="$drilldown$" 
| table Column1 Column2
| inputlookup append=t Lookup.csv
| where Column2!= "$drilldown$" OR (Column1= "$single$" AND Column2= "$drilldown$")
| outputlookup  Lookup.csv

I have tried to use foreach but it doesn't really work.

Can someone help me with that?

Thanks !

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-26-2019 08:43 AM

It'll depend upon how the values are formatted in your multiselect. Assuming you're creating a comma separated list of values (e.g. "Value1, Value2, Value3" ) then try this

| makeresults 
 | eval Column1="$single$" , Column2="$drilldown$" 
 | table Column1 Column2
 | makemv Column1 delim="," | mvexpand Column1
 | outputlookup  Lookup.csv

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-26-2019 08:43 AM

It'll depend upon how the values are formatted in your multiselect. Assuming you're creating a comma separated list of values (e.g. "Value1, Value2, Value3" ) then try this

| makeresults 
 | eval Column1="$single$" , Column2="$drilldown$" 
 | table Column1 Column2
 | makemv Column1 delim="," | mvexpand Column1
 | outputlookup  Lookup.csv
0 Karma
Reply
Solved! Jump to solution

astatrial
Contributor
‎03-28-2019 01:02 AM

Hi,
That helped me get closer to what i need !
Can you help me with the other part of my question ?

I am trying to add the content of the lookup without the values of the drilldown.
The subsearch i add doesn't seem to work :

| search
[| inputlookup lookup.csv
| where Column2!= "$drilldown$"
| table Column1 Column2]

I really appreciate your help !

0 Karma
Reply
Solved! Jump to solution

astatrial
Contributor
‎03-28-2019 01:09 AM

Never mind i got it
I used the command append instead of the search.

Thanks a lot !!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...