Solved: Error in multiselect - Could not create search

sangs8788 · ‎11-23-2017

Below is the code for multiselect which gets populated dynamically based on user selection. The Search query seems to be working fine outside using Search & Reporting app. But doesnt work when added as dynamic query to dashboard.

<input type="multiselect" token="tokenhost" searchWhenChanged="true">
  <label>$hosttype$</label>
  <search>
    <query>index=app   sourcetype=app_gc_log  | eval host = case(host like "%" +substr(lower($hosttype$),1, 3)+ "%", host)| dedup host | table host</query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <valuePrefix>host=</valuePrefix>
  <delimiter> OR </delimiter>
</input>
<input type="time" token="field2" searchWhenChanged="true">
  <label></label>
  <default>
    <earliest>-4h@m</earliest>
    <latest>now</latest>
  </default>
</input>

danbar6 · ‎11-23-2017

$hosttype$ needs to get an initial value for the search to be built and run.
You can do that in another dynamic input or by giving it a static value in another input.

View solution in original post

danbar6 · ‎11-23-2017

$hosttype$ needs to get an initial value for the search to be built and run.
You can do that in another dynamic input or by giving it a static value in another input.

jplumsdaine22 · ‎11-23-2017

What do you mean by "didn't work?" Do you get an error message?

lukas_loder · ‎11-23-2017

Where did you define the $hosttype$ token you are using there?

sangs8788 · ‎11-23-2017

It is passed from another dashboard but I am pretty sure the value is getting passed to $hosttype$. I am able to see the value passed.

lukas_loder · ‎11-23-2017

so you see the new $hosttype$ value in your label? Or is this one empty?

sangs8788 · ‎11-23-2017

i see the value in label

niketn · ‎11-23-2017

@sangs8788, Can you try the following search, which converts both terms to be matched into lower case?

index=app sourcetype=app_gc_log 
| eval host = case(match(lower(host),lower(substr("$hosttype$",1, 3))), host) 
| dedup host 
| table host
| sort host

If this does not work, can you run the same search for multiselect inside a table to see whether you are getting results?

<table>
   <search>
     <query>index=app   sourcetype=app_gc_log  | eval host = case(host like "%" +substr(lower($hosttype$),1, 3)+ "%", host)| dedup host | table host</query>
     <earliest>-30d@d</earliest>
     <latest>now</latest>
   </search>
</table>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sangs8788 · ‎11-23-2017

Error displays right below the multiselect "could not create search"

Error in multiselect - Could not create search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation