I have created a multivalue parser from suggestions in the Splunk answers in the following form:
[stats count | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | fields src]
But what I would like to have happen is at the end of each value append the asterisk to broaden my search to values that might not be complete at input for the values of the fields in the events; i.e. these are hostnames being input and I would like to include * so that when the event logs the value as the FQDN it will grab that event as well.
[Updated Answer based on details provided]
Seems like you are trying to use the subsearch [YourSubSearch]
to provide filters in your base search
The is an ideal use case for theformat
format command. After | table src
just add | format
and you should get your desired output. Refer to Splunk documentation for details: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
You should still be able to use | makeresults
command in your subsearch if your intent is to split the token dashInSrc
and use the same OR delimeter separated src values, i.e. test1, test2, test3
to be used as ((src="test1*") OR (src="test2*") OR (src="test3*"))
[| makeresults
| eval src="$dashInSrc$"
| makemv src delim=","
| mvexpand src
| eval src=src."*"
| table src
| format
| fields search]
Please try out and confirm. Besides makeresults
changes to your query are
1) | eval src=src."*"
to append asterisk to your field values and
2) | format | fields search
to format the results to be run in base query as per requirement.
You can use Token Value Prefix
, Token Value Suffix
and Delimiter
options in multivalue to set the tokens to be passed to your Splunk Search. Try the following multiselect field.
PS: I have changed from stats count
to | makeresults
command which allows you to run dummy search without querying index/es.
<fieldset submitButton="false">
<input type="multiselect" token="tokMultiValue">
<label></label>
<valuePrefix>src="</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>src</fieldForLabel>
<fieldForValue>src</fieldForValue>
<search>
<query>| makeresults
| eval src="$dashInSrc$"
| makemv src delim=","
| mvexpand src
| table src</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
Following is a dashboard to test the input token and multi select output:
<form>
<label>Multivalue input suffixed with *</label>
<!-- Initialize section to set the token dashinSrc with dummy data-->
<init>
<set token="dashInSrc">test1,test2,test3</set>
</init>
<fieldset submitButton="false">
<input type="multiselect" token="tokMultiValue">
<label></label>
<valuePrefix>src="</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>src</fieldForLabel>
<fieldForValue>src</fieldForValue>
<search>
<query>| makeresults
| eval src="$dashInSrc$"
| makemv src delim=","
| mvexpand src
| table src</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<!-- HTML Value to test token Input and Multiselect Output-->
<row>
<panel>
<html>
Input: $dashInSrc$
<br/>
Multivalue: $tokMultiValue$
</html>
</panel>
</row>
</form>
[Updated Answer based on details provided]
Seems like you are trying to use the subsearch [YourSubSearch]
to provide filters in your base search
The is an ideal use case for theformat
format command. After | table src
just add | format
and you should get your desired output. Refer to Splunk documentation for details: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
You should still be able to use | makeresults
command in your subsearch if your intent is to split the token dashInSrc
and use the same OR delimeter separated src values, i.e. test1, test2, test3
to be used as ((src="test1*") OR (src="test2*") OR (src="test3*"))
[| makeresults
| eval src="$dashInSrc$"
| makemv src delim=","
| mvexpand src
| eval src=src."*"
| table src
| format
| fields search]
Please try out and confirm. Besides makeresults
changes to your query are
1) | eval src=src."*"
to append asterisk to your field values and
2) | format | fields search
to format the results to be run in base query as per requirement.
You can use Token Value Prefix
, Token Value Suffix
and Delimiter
options in multivalue to set the tokens to be passed to your Splunk Search. Try the following multiselect field.
PS: I have changed from stats count
to | makeresults
command which allows you to run dummy search without querying index/es.
<fieldset submitButton="false">
<input type="multiselect" token="tokMultiValue">
<label></label>
<valuePrefix>src="</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>src</fieldForLabel>
<fieldForValue>src</fieldForValue>
<search>
<query>| makeresults
| eval src="$dashInSrc$"
| makemv src delim=","
| mvexpand src
| table src</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
Following is a dashboard to test the input token and multi select output:
<form>
<label>Multivalue input suffixed with *</label>
<!-- Initialize section to set the token dashinSrc with dummy data-->
<init>
<set token="dashInSrc">test1,test2,test3</set>
</init>
<fieldset submitButton="false">
<input type="multiselect" token="tokMultiValue">
<label></label>
<valuePrefix>src="</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>src</fieldForLabel>
<fieldForValue>src</fieldForValue>
<search>
<query>| makeresults
| eval src="$dashInSrc$"
| makemv src delim=","
| mvexpand src
| table src</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<!-- HTML Value to test token Input and Multiselect Output-->
<row>
<panel>
<html>
Input: $dashInSrc$
<br/>
Multivalue: $tokMultiValue$
</html>
</panel>
</row>
</form>
While I do thank you for the information on this and the makeresults item this is not going to assist in what I am trying to accomplish. The multiselect field is not really an option because what we are search for is any IP address or hostname out of thousands of servers and some of those names might not be in data sources that I would reference for the field. Furthermore, we are going to be pulling these names from other sources as lists and putting those names we are specifically looking for into the single string search field to determine the information; i.e. the string we will use will be as follows
computer1,computer2,computer3
and I need it to be parsed from that string to the following search specifications from the string
src=computer1* OR src=computer2* OR src=computer3*
Thanks for the suggestion though.
@JeffBothel, Sorry after reading your question, I thought you were using a multi value panel with Dynamic Search option and wanted to format that. I have updated my answer based on the details provided. You should be able to perform what you need using Splunk format
command. Please try out the updated answer and confirm.
And you update has resolved what I was looking to do albeit it much more simply than was stated. Stepping through your idea for the solution I noticed that the introduction of the asterisk was done with an eval that was to append it to all the values of src that were in the subsearch and I thought why not just add the tiny little segment that added the asterisk to the search and see what happens; I added the following
| eval src=src."*"
to get the overall line of
[makeresults | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | eval src=src."*" | fields src]
Which garnered the results I was looking for with this item. So thank you for the assistance on this and the valuable insights.