Splunk Search

Append * to the end of values in a multivalue input

JeffBothel
Explorer

I have created a multivalue parser from suggestions in the Splunk answers in the following form:

[stats count | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | fields src]

But what I would like to have happen is at the end of each value append the asterisk to broaden my search to values that might not be complete at input for the values of the fields in the events; i.e. these are hostnames being input and I would like to include * so that when the event logs the value as the FQDN it will grab that event as well.

0 Karma
1 Solution

niketnilay
Legend

[Updated Answer based on details provided]
Seems like you are trying to use the subsearch [YourSubSearch] to provide filters in your base search

The is an ideal use case for theformat format command. After | table src just add | format and you should get your desired output. Refer to Splunk documentation for details: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

You should still be able to use | makeresults command in your subsearch if your intent is to split the token dashInSrc and use the same OR delimeter separated src values, i.e. test1, test2, test3 to be used as ((src="test1*") OR (src="test2*") OR (src="test3*"))

[| makeresults
| eval src="$dashInSrc$" 
| makemv src delim=","
| mvexpand src
| eval src=src."*"
| table src
| format
| fields search]

Please try out and confirm. Besides makeresults changes to your query are
1) | eval src=src."*" to append asterisk to your field values and
2) | format | fields search to format the results to be run in base query as per requirement.


You can use Token Value Prefix, Token Value Suffix and Delimiter options in multivalue to set the tokens to be passed to your Splunk Search. Try the following multiselect field.
PS: I have changed from stats count to | makeresults command which allows you to run dummy search without querying index/es.

  <fieldset submitButton="false">
    <input type="multiselect" token="tokMultiValue">
      <label></label>
      <valuePrefix>src="</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>src</fieldForLabel>
      <fieldForValue>src</fieldForValue>
      <search>
        <query>| makeresults
| eval src="$dashInSrc$" 
| makemv src delim=","
| mvexpand src 
| table src</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>

Following is a dashboard to test the input token and multi select output:

<form>
  <label>Multivalue input suffixed with *</label>
  <!-- Initialize section to set the token dashinSrc with dummy data-->
  <init>
    <set token="dashInSrc">test1,test2,test3</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokMultiValue">
      <label></label>
      <valuePrefix>src="</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>src</fieldForLabel>
      <fieldForValue>src</fieldForValue>
      <search>
        <query>| makeresults
| eval src="$dashInSrc$" 
| makemv src delim=","
| mvexpand src 
| table src</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <!-- HTML Value to test token Input and Multiselect Output-->
  <row>
    <panel>
      <html>
        Input: $dashInSrc$
        &lt;br/&gt;
        Multivalue: $tokMultiValue$
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

[Updated Answer based on details provided]
Seems like you are trying to use the subsearch [YourSubSearch] to provide filters in your base search

The is an ideal use case for theformat format command. After | table src just add | format and you should get your desired output. Refer to Splunk documentation for details: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

You should still be able to use | makeresults command in your subsearch if your intent is to split the token dashInSrc and use the same OR delimeter separated src values, i.e. test1, test2, test3 to be used as ((src="test1*") OR (src="test2*") OR (src="test3*"))

[| makeresults
| eval src="$dashInSrc$" 
| makemv src delim=","
| mvexpand src
| eval src=src."*"
| table src
| format
| fields search]

Please try out and confirm. Besides makeresults changes to your query are
1) | eval src=src."*" to append asterisk to your field values and
2) | format | fields search to format the results to be run in base query as per requirement.


You can use Token Value Prefix, Token Value Suffix and Delimiter options in multivalue to set the tokens to be passed to your Splunk Search. Try the following multiselect field.
PS: I have changed from stats count to | makeresults command which allows you to run dummy search without querying index/es.

  <fieldset submitButton="false">
    <input type="multiselect" token="tokMultiValue">
      <label></label>
      <valuePrefix>src="</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>src</fieldForLabel>
      <fieldForValue>src</fieldForValue>
      <search>
        <query>| makeresults
| eval src="$dashInSrc$" 
| makemv src delim=","
| mvexpand src 
| table src</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>

Following is a dashboard to test the input token and multi select output:

<form>
  <label>Multivalue input suffixed with *</label>
  <!-- Initialize section to set the token dashinSrc with dummy data-->
  <init>
    <set token="dashInSrc">test1,test2,test3</set>
  </init>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokMultiValue">
      <label></label>
      <valuePrefix>src="</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>src</fieldForLabel>
      <fieldForValue>src</fieldForValue>
      <search>
        <query>| makeresults
| eval src="$dashInSrc$" 
| makemv src delim=","
| mvexpand src 
| table src</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <!-- HTML Value to test token Input and Multiselect Output-->
  <row>
    <panel>
      <html>
        Input: $dashInSrc$
        &lt;br/&gt;
        Multivalue: $tokMultiValue$
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

JeffBothel
Explorer

While I do thank you for the information on this and the makeresults item this is not going to assist in what I am trying to accomplish. The multiselect field is not really an option because what we are search for is any IP address or hostname out of thousands of servers and some of those names might not be in data sources that I would reference for the field. Furthermore, we are going to be pulling these names from other sources as lists and putting those names we are specifically looking for into the single string search field to determine the information; i.e. the string we will use will be as follows

computer1,computer2,computer3

and I need it to be parsed from that string to the following search specifications from the string

src=computer1* OR src=computer2* OR src=computer3*

Thanks for the suggestion though.

0 Karma

niketnilay
Legend

@JeffBothel, Sorry after reading your question, I thought you were using a multi value panel with Dynamic Search option and wanted to format that. I have updated my answer based on the details provided. You should be able to perform what you need using Splunk format command. Please try out the updated answer and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

JeffBothel
Explorer

And you update has resolved what I was looking to do albeit it much more simply than was stated. Stepping through your idea for the solution I noticed that the introduction of the asterisk was done with an eval that was to append it to all the values of src that were in the subsearch and I thought why not just add the tiny little segment that added the asterisk to the search and see what happens; I added the following

| eval src=src."*"

to get the overall line of

[makeresults | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | eval src=src."*" | fields src]

Which garnered the results I was looking for with this item. So thank you for the assistance on this and the valuable insights.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!