Dashboards & Visualizations
Highlighted

multiselect and foreach

Communicator

Hello !
I have a dashboard with two inputs fields, one drilldown and the other is multiselect.
I am trying to get values from multiselect input and run a search on them.

The search will take every value from the multiselect and will insert, to an existing lookup, a row with the value and the drilldown token's value.

For example:
Multi select Token = Field1, Field2, Field3
drilldown Token = old
After clicking submit this will be the lookup:

alt text

Those rows should replace every other row which existed in the lookup before and had the drilldown value.

I managed to do it for a single valued token but not for multiselect token:

| makeresults 
| eval Column1="$single$" , Column2="$drilldown$" 
| table Column1 Column2
| inputlookup append=t Lookup.csv
| where Column2!= "$drilldown$" OR (Column1= "$single$" AND Column2= "$drilldown$")
| outputlookup  Lookup.csv

I have tried to use foreach but it doesn't really work.

Can someone help me with that?

Thanks !

0 Karma
Highlighted

Re: multiselect and foreach

SplunkTrust
SplunkTrust

It'll depend upon how the values are formatted in your multiselect. Assuming you're creating a comma separated list of values (e.g. "Value1, Value2, Value3" ) then try this

| makeresults 
 | eval Column1="$single$" , Column2="$drilldown$" 
 | table Column1 Column2
 | makemv Column1 delim="," | mvexpand Column1
 | outputlookup  Lookup.csv

View solution in original post

0 Karma
Highlighted

Re: multiselect and foreach

Communicator

Hi,
That helped me get closer to what i need !
Can you help me with the other part of my question ?

I am trying to add the content of the lookup without the values of the drilldown.
The subsearch i add doesn't seem to work :

| search
[| inputlookup lookup.csv
| where Column2!= "$drilldown$"
| table Column1 Column2]

I really appreciate your help !

0 Karma
Highlighted

Re: multiselect and foreach

Communicator

Never mind i got it
I used the command append instead of the search.

Thanks a lot !!!!

0 Karma