Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter based on token from macro

smanojkumar
Communicator
‎01-03-2024 03:03 AM

Hi Splunkers!

    I would like to filter in a field when I received a specific value from multiselect input dropdown, 

I'm having a field "Type" where I will get multiselect values, that will be passed to a search by macro, in that search, i would like to filter "Assetname" with field of having Z in 3rd letter, only when I'm getting ADZ value from the field "Type"

 

When I'm not getting the value ADZ, i need to get all values in the field Assetname

Type - Indus, ADZ, Stan
Assetname - abZahd-2839

so, the Assetname with 3rd letter Z needs to be filtered.

Thanks in Advance!

Manoj Kumar S

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 08:55 AM

the where command is expecting some sort of boolean result after the logic statement is evaluated. The if() function you shared is passing just another logic statement. I think to do it in a where command would look something like this.

| where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())


Note: This method is expecting the field Type and Assetname to both be available fields in the dataset up to the point of it's execution. So a simple example of making the "Type" field available from the multiselect would be

<base_search>
    ``` make the multiselect token value an available field in the dataset ```
    ``` Since it is common for multiselect token values to be formatted with double-quotes, doing a $<token_name>|s$ here should account for that ```
    ``` It is assumed that the field "Assetname" is available and derived from <base_search> above. ```
    | eval
        Type=$Type|s$
    | where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())

Examples: (with ADZ in Type token)

dtburrows3_0-1704387278104.png

(without ADZ in Type token)

dtburrows3_1-1704387316763.png

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-03-2024 07:54 AM

I think you could put in a change tag in the multiselect to evaluate a new token to use as a conditional filter based on the selection of the multiselect.

 

<input type="multiselect" token="Type" searchWhenChanged="true">
  <choice value="ADZ">ADZ</choice>
  ...
  <change>
    <eval token="assetname_filter">if(match('Type', "ADZ"), "match(Assetname, \"^\\S{2}Z\")", "isnotnull(Assetname)")</eval>
  </change>
  ...
</input>

 

And then in the search you are wanting to filter you can use the $assetname_filter$ token after a where command  like this

 

<base_search>
    | where $assetname_filter$

 


Examples of functionality:
    No ADZ selected (All assets showing)

dtburrows3_0-1704297150411.png

    ADZ one of the values selected in the multiselect (Only **Z* Assetname are in final output)

dtburrows3_1-1704297224464.png

 

Reply
Solved! Jump to solution

smanojkumar
Communicator
‎01-04-2024 04:18 AM

Hi @dtburrows3 ,

   Thanks for your response!

   If we need to add those two lined in a single search of macro, where we are receiving Type as a token from Search/dashboard, How to do that? 

 

   I tried this  way, It dosen't work

| where if(macth('Type', "ADZ"), "match(Assetname, \"^\\S{2}Z\")", "isnotnull(Assetname)")


Thanks in Advance!

0 Karma
Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 08:55 AM

the where command is expecting some sort of boolean result after the logic statement is evaluated. The if() function you shared is passing just another logic statement. I think to do it in a where command would look something like this.

| where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())


Note: This method is expecting the field Type and Assetname to both be available fields in the dataset up to the point of it's execution. So a simple example of making the "Type" field available from the multiselect would be

<base_search>
    ``` make the multiselect token value an available field in the dataset ```
    ``` Since it is common for multiselect token values to be formatted with double-quotes, doing a $<token_name>|s$ here should account for that ```
    ``` It is assumed that the field "Assetname" is available and derived from <base_search> above. ```
    | eval
        Type=$Type|s$
    | where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())

Examples: (with ADZ in Type token)

dtburrows3_0-1704387278104.png

(without ADZ in Type token)

dtburrows3_1-1704387316763.png

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...