I want to have a text box where a user can paste a list of items and then have each line be treated as an OR argument.
For Example:
User puts the following in a text box(Token=status):
400
403
404
The form has the following search in it: search index=httplogs status=$status$
Then hit search and the following search executes: search index=httplogs status=400 OR status=403 OR status=404
Is this possible?
Thanks
As far as I know there's no such multi-line textbox available. You could solve this in other ways, but if your requirement is that the textbox needs to be multiline you're out of luck.
UPDATE: I've been digging through my previous splunkbase answers because I'm pretty sure I wrote up a solution on this, but I'm unable to find it. Anyway the idea was that given a textbox with comma delimited values, this would be expanded to an OR separated list. So, let's say the user-provided input (the comma-delimited list of terms) is available in the variable $status$
. Enter this into a query using a subsearch, expand the list into a multivalued field using makemv
and voilà, this should expand into what you want.
youroutersearch [search * | head 1 | eval status="$status$" | makemv delim="," status | fields status]
(the search + head commands at the beginning of the subsearch is just to get one event so that eval
can do its thing. You could use other commands like gentimes
if you don't want to perform a search operation for this)
So, what happens is the user inputs for example "400,403,404" in the input field. This is put into the variable status
by eval
, then expanded into a multivalued field holding by makemv
, then finally the subsearch returns, performing an OR operation between the terms so that the subsearch is expanded to
youroutersearch ((( status="400" OR status="403" OR status="404" )))
This is actually possible with the latest version of Sideview Utils.
The latest is 2.4. You can download it from the Sideview website, and it is free for internal use. http://sideviewapps.com/apps/sideview-utils/
here's what the config would look like for your use case.
<module name="TextField" layoutPanel="panel_row3_col1" autoRun="True">
<param name="name">multilineStatuses</param>
<param name="label">enter status values one on each line</param>
<param name="rows">4</param>
<module name="Button">
<module name="ValueSetter">
<param name="name">arrayValue</param>
<param name="delim">\n</param>
<param name="value">$multilineStatuses$</param>
<module name="ArrayValueSetter">
<param name="name">searchExpression</param>
<param name="array">$arrayValue$</param>
<param name="template">status="$value$"</param>
<param name="separator">+OR+</param>
<param name="outerTemplate">( $value$ )</param>
Basically it's a multiline text input box, the user types in status codes, one on each line, and the end result is a token called $searchExpression$, that will be ( status="500" OR status="401" OR status="404" )
Note that there is also a page of documentation about the ArrayValueSetter module on which you'll see an example quite similar to this one. Once you've updated the app and restarted Splunk, navigate in the Sideview Utils docs to "Module Documentation > Advanced Modules > The ArrayValueSetter module"
Good to know. Once I dig in to your App I might consider doing this. Thanks for your reply.
Unfortunately, the form search modules in "vanilla" Splunk do not provide an option to assemble the terms provided by the user into a "TERM1 OR TERM2 OR TERM3" expression.
You would have to write your own module to perform this task.
Too many values to do this.
You could populate the Pulldown dynamically with every value the field can take, based on the events loaded into splunk. Anything else typed by the users would not yield results anyway.
As far as I know there's no such multi-line textbox available. You could solve this in other ways, but if your requirement is that the textbox needs to be multiline you're out of luck.
UPDATE: I've been digging through my previous splunkbase answers because I'm pretty sure I wrote up a solution on this, but I'm unable to find it. Anyway the idea was that given a textbox with comma delimited values, this would be expanded to an OR separated list. So, let's say the user-provided input (the comma-delimited list of terms) is available in the variable $status$
. Enter this into a query using a subsearch, expand the list into a multivalued field using makemv
and voilà, this should expand into what you want.
youroutersearch [search * | head 1 | eval status="$status$" | makemv delim="," status | fields status]
(the search + head commands at the beginning of the subsearch is just to get one event so that eval
can do its thing. You could use other commands like gentimes
if you don't want to perform a search operation for this)
So, what happens is the user inputs for example "400,403,404" in the input field. This is put into the variable status
by eval
, then expanded into a multivalued field holding by makemv
, then finally the subsearch returns, performing an OR operation between the terms so that the subsearch is expanded to
youroutersearch ((( status="400" OR status="403" OR status="404" )))
Awesome! I changed the delim to a blank space instead of a comma so the user does not have to worry about pasting a comma-delimited list.
Updated my answer. Let me know if this works 🙂
Is there a way to do it without having a multi-line form. I just want the user to paste and search, but sometimes they might search for more then one value depending on what they copied.
No because today they might search for 400,403,404, but tomorrow for 1223,456,901. We do not know what they will be looking for, but we know what field to look in.
Have you considered using a multi-line Pulldown from sideview utils? That would also save your users from knowing available values.