Dashboards & Visualizations

multiselect and foreach

astatrial
Contributor

Hello !
I have a dashboard with two inputs fields, one drilldown and the other is multiselect.
I am trying to get values from multiselect input and run a search on them.

The search will take every value from the multiselect and will insert, to an existing lookup, a row with the value and the drilldown token's value.

For example:
Multi select Token = Field1, Field2, Field3
drilldown Token = old
After clicking submit this will be the lookup:

alt text

Those rows should replace every other row which existed in the lookup before and had the drilldown value.

I managed to do it for a single valued token but not for multiselect token:

| makeresults 
| eval Column1="$single$" , Column2="$drilldown$" 
| table Column1 Column2
| inputlookup append=t Lookup.csv
| where Column2!= "$drilldown$" OR (Column1= "$single$" AND Column2= "$drilldown$")
| outputlookup  Lookup.csv

I have tried to use foreach but it doesn't really work.

Can someone help me with that?

Thanks !

0 Karma
1 Solution

somesoni2
Revered Legend

It'll depend upon how the values are formatted in your multiselect. Assuming you're creating a comma separated list of values (e.g. "Value1, Value2, Value3" ) then try this

| makeresults 
 | eval Column1="$single$" , Column2="$drilldown$" 
 | table Column1 Column2
 | makemv Column1 delim="," | mvexpand Column1
 | outputlookup  Lookup.csv

View solution in original post

0 Karma

somesoni2
Revered Legend

It'll depend upon how the values are formatted in your multiselect. Assuming you're creating a comma separated list of values (e.g. "Value1, Value2, Value3" ) then try this

| makeresults 
 | eval Column1="$single$" , Column2="$drilldown$" 
 | table Column1 Column2
 | makemv Column1 delim="," | mvexpand Column1
 | outputlookup  Lookup.csv
0 Karma

astatrial
Contributor

Hi,
That helped me get closer to what i need !
Can you help me with the other part of my question ?

I am trying to add the content of the lookup without the values of the drilldown.
The subsearch i add doesn't seem to work :

| search
[| inputlookup lookup.csv
| where Column2!= "$drilldown$"
| table Column1 Column2]

I really appreciate your help !

0 Karma

astatrial
Contributor

Never mind i got it
I used the command append instead of the search.

Thanks a lot !!!!

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...