Splunk Search

Can the default be a new search in multiselect?

hketer
Path Finder

Hi Everyone!

alt text

Like you, I have a text box (Splunk Field) that can get the value as a token by clicking from the table on the left side.
The token is $splunkField$

I defined multiselect (Mapping options) that contain list of values I get from a search.

| inputlookup append=t $fldMappingSet$.csv | fields soc3dField

My question is, can I display in the multiselect values from a new search as default?
I mean according to the token in the textbox I want the multiselect that will choose the values by default (with another search )

| inputlookup append=t MappingDemo.csv | search customField=$splunkField$  | fields soc3dField

Like this for example:
alt text

I hope I've explained myself well.

Thank you all!!

0 Karma

VatsalJagani
Motivator

@hketer,

Add this to your dashboard and check.

<search>
  <query>| inputlookup append=t MappingDemo.csv | search customField=$splunkField$ | fields soc3dField | stats values(soc3dField) as defaultValue | eval defaultValue=mvjoin(" ,")</query>
  <done>
    <set token="defaultValue">$result.defaultValue$</set>
  </done>
</search>

Set default value to..

<default>$defaultValue$</default>

Hope this helps!!!

niketnilay
Legend

@hketer are you looking for something like the following old answer or mine?

Comma separated values in the Text Box is ued to select the values in the multiselect: https://answers.splunk.com/answers/582644/how-do-i-populate-a-multiselect-input-box-with-dri.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

hketer
Path Finder

Hey @niketnilay !

I don't think its the same

this is part of the XML I have

      <set token="customm">$row.SOC3D field name$</set>
      <set token="splunkField">$row.SPLUNK field name$</set>
    </drilldown>
  </table>
</panel>
<panel>
  <title>Update Mapping Set</title>
  <input type="text" token="splunkFieldText" id="splunkFieldID" searchWhenChanged="false">
    <label>Splunk Field</label>
    <default>$splunkField$</default>
  </input>
  <input type="multiselect" token="MappMultiSelect" searchWhenChanged="false">
    <label>Mapping options</label>
    <search>
      <query>| inputlookup append=t $fldMappingSet$.csv | fields soc3dField</query>
    </search>
    **<default>
    </default>**
    <fieldForLabel>soc3dField</fieldForLabel>
    <fieldForValue>soc3dField</fieldForValue>
    <delimiter> ,</delimiter>
  </input>
  <html>
            <!-- Set the $show_chart$ token when the link is clicked, also unset the $show_table$ token -->
            <a href="#" class="btn btn-primary" data-set-token="UpdateLookup" data-value="show" data-unset-token="show_table">
                Update Mapping Set
            </a>
        </html>
  <table depends="$UpdateLookup$">
    <search base="Update_Mapping"></search>
  </table>
</panel>

I want the default to be a different query.

I've tried to add
and some other labels under the

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!