Solved: Re: Field in Lookup Table with Multiple Values

alan20854 · ‎07-01-2016

In one of the columns of my lookup table, host, some values have two hosts rather than just one.

For example, my table might look like this
app,environment,host
app1,env1,host1
app1,env2,host1 OR host2
...

In my dashboard panel, I am writing a query that would search for all events with the selected environment and host. However, for the ones with two hosts, the search query only searches for the first host. How would I be able to search for both?

sundareshr · ‎07-01-2016

You can use dynamic tokens. Something like this

<input type=dropdown>
<change>
<eval token="hosts">replace($value$, " OR ", " OR host=")</eval>

View solution in original post

jbillings · ‎03-02-2020

Way late to the game, but for anyone that is looking for something like this, you may try insert this in your search. It will make the host field multivalue based on the comma.
| inputlookup
| makemv delim="," host

sundareshr · ‎07-01-2016

You can use dynamic tokens. Something like this

<input type=dropdown>
<change>
<eval token="hosts">replace($value$, " OR ", " OR host=")</eval>

alan20854 · ‎07-05-2016

Would this be the same for if I just had static options in my dropdown?

alan20854 · ‎07-05-2016

I tried to do what you suggested, but it didn't seem to change my search query when I opened it up in search. Here is the XML:

  <input type="dropdown" token="env" searchWhenChanged="true">
  <label>Environment</label>
  <choice value="host1 OR host2 OR host3">PROD</choice>
  <choice value="host1 OR host4">QA</choice>
  <choice value="host5">QI1</choice>
  <choice value="host5 OR host6">QI2</choice>
  <choice value="host7">QC1</choice>
  <change>
    <eval token="hosts">replace($value$, " OR ", " OR host=")</eval>
  </change>
</input>

sundareshr · ‎07-05-2016

If these are static values, your best option would be change the values to

   <choice value="host=host1 OR host=host2 OR host=host3">PROD</choice>
   <choice value="host=host1 OR host=host4">QA</choice>
   <choice value="host=host5">QI1</choice>
   <choice value="host=host5 OR host=host6">QI2</choice>
   <choice value="host=host7">QC1</choice>

If these are dynamically populated, you could add the host= in the query that is populating the dropdown.

The other option is to use tags in your data and in the dropdowns
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Defineandusetags

alan20854 · ‎07-05-2016

Thanks for the help!

alan20854 · ‎07-05-2016

And my search query is: host = $env$ ...

richgalloway · ‎07-01-2016

If you have control over the lookup table, consider a separate row for the extra host.

app,environment,host
app1,env1,host1
app1,env2,host1
app1,env2,host2

---
If this reply helps you, Karma would be appreciated.

alan20854 · ‎07-01-2016

Hi Rich,

I am using the lookup table to populate my dropdowns, but I do not want to create another dropdown for host. Is there a way to search for both hosts now that they are in separate rows?

richgalloway · ‎07-01-2016

I didn't get the part where you were populating a dropdown. This answer won't help with that.

---
If this reply helps you, Karma would be appreciated.

Field in Lookup Table with Multiple Values

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?