Getting Data In

Form with a multi-line text box that will OR every line it is given.

agodoy
Communicator

I want to have a text box where a user can paste a list of items and then have each line be treated as an OR argument.

For Example:
User puts the following in a text box(Token=status):

400
403
404

The form has the following search in it: search index=httplogs status=$status$

Then hit search and the following search executes: search index=httplogs status=400 OR status=403 OR status=404

Is this possible?

Thanks

Tags (4)
1 Solution

Ayn
Legend

As far as I know there's no such multi-line textbox available. You could solve this in other ways, but if your requirement is that the textbox needs to be multiline you're out of luck.

UPDATE: I've been digging through my previous splunkbase answers because I'm pretty sure I wrote up a solution on this, but I'm unable to find it. Anyway the idea was that given a textbox with comma delimited values, this would be expanded to an OR separated list. So, let's say the user-provided input (the comma-delimited list of terms) is available in the variable $status$. Enter this into a query using a subsearch, expand the list into a multivalued field using makemv and voilà, this should expand into what you want.

youroutersearch [search * | head 1 | eval status="$status$" | makemv delim="," status | fields status]

(the search + head commands at the beginning of the subsearch is just to get one event so that eval can do its thing. You could use other commands like gentimes if you don't want to perform a search operation for this)

So, what happens is the user inputs for example "400,403,404" in the input field. This is put into the variable status by eval, then expanded into a multivalued field holding by makemv, then finally the subsearch returns, performing an OR operation between the terms so that the subsearch is expanded to

youroutersearch ((( status="400" OR status="403" OR status="404" )))

View solution in original post

sideview
SplunkTrust
SplunkTrust

This is actually possible with the latest version of Sideview Utils.

The latest is 2.4. You can download it from the Sideview website, and it is free for internal use. http://sideviewapps.com/apps/sideview-utils/

here's what the config would look like for your use case.

<module name="TextField" layoutPanel="panel_row3_col1" autoRun="True">
  <param name="name">multilineStatuses</param>
  <param name="label">enter status values one on each line</param>
  <param name="rows">4</param>

  <module name="Button">

    <module name="ValueSetter">
      <param name="name">arrayValue</param>
      <param name="delim">\n</param>
      <param name="value">$multilineStatuses$</param>

      <module name="ArrayValueSetter">
        <param name="name">searchExpression</param>
        <param name="array">$arrayValue$</param>
        <param name="template">status="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

Basically it's a multiline text input box, the user types in status codes, one on each line, and the end result is a token called $searchExpression$, that will be ( status="500" OR status="401" OR status="404" )

Note that there is also a page of documentation about the ArrayValueSetter module on which you'll see an example quite similar to this one. Once you've updated the app and restarted Splunk, navigate in the Sideview Utils docs to "Module Documentation > Advanced Modules > The ArrayValueSetter module"

agodoy
Communicator

Good to know. Once I dig in to your App I might consider doing this. Thanks for your reply.

0 Karma

hexx
Splunk Employee
Splunk Employee

Unfortunately, the form search modules in "vanilla" Splunk do not provide an option to assemble the terms provided by the user into a "TERM1 OR TERM2 OR TERM3" expression.

You would have to write your own module to perform this task.

0 Karma

agodoy
Communicator

Too many values to do this.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could populate the Pulldown dynamically with every value the field can take, based on the events loaded into splunk. Anything else typed by the users would not yield results anyway.

0 Karma

Ayn
Legend

As far as I know there's no such multi-line textbox available. You could solve this in other ways, but if your requirement is that the textbox needs to be multiline you're out of luck.

UPDATE: I've been digging through my previous splunkbase answers because I'm pretty sure I wrote up a solution on this, but I'm unable to find it. Anyway the idea was that given a textbox with comma delimited values, this would be expanded to an OR separated list. So, let's say the user-provided input (the comma-delimited list of terms) is available in the variable $status$. Enter this into a query using a subsearch, expand the list into a multivalued field using makemv and voilà, this should expand into what you want.

youroutersearch [search * | head 1 | eval status="$status$" | makemv delim="," status | fields status]

(the search + head commands at the beginning of the subsearch is just to get one event so that eval can do its thing. You could use other commands like gentimes if you don't want to perform a search operation for this)

So, what happens is the user inputs for example "400,403,404" in the input field. This is put into the variable status by eval, then expanded into a multivalued field holding by makemv, then finally the subsearch returns, performing an OR operation between the terms so that the subsearch is expanded to

youroutersearch ((( status="400" OR status="403" OR status="404" )))

agodoy
Communicator

Awesome! I changed the delim to a blank space instead of a comma so the user does not have to worry about pasting a comma-delimited list.

0 Karma

Ayn
Legend

Updated my answer. Let me know if this works 🙂

0 Karma

agodoy
Communicator

Is there a way to do it without having a multi-line form. I just want the user to paste and search, but sometimes they might search for more then one value depending on what they copied.

0 Karma

agodoy
Communicator

No because today they might search for 400,403,404, but tomorrow for 1223,456,901. We do not know what they will be looking for, but we know what field to look in.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Have you considered using a multi-line Pulldown from sideview utils? That would also save your users from knowing available values.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...