Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filter based on token from macro

smanojkumar
Contributor
‎01-03-2024 03:03 AM

Hi Splunkers!

    I would like to filter in a field when I received a specific value from multiselect input dropdown, 

I'm having a field "Type" where I will get multiselect values, that will be passed to a search by macro, in that search, i would like to filter "Assetname" with field of having Z in 3rd letter, only when I'm getting ADZ value from the field "Type"

 

When I'm not getting the value ADZ, i need to get all values in the field Assetname

Type - Indus, ADZ, Stan
Assetname - abZahd-2839

so, the Assetname with 3rd letter Z needs to be filtered.

Thanks in Advance!

Manoj Kumar S

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 08:55 AM

the where command is expecting some sort of boolean result after the logic statement is evaluated. The if() function you shared is passing just another logic statement. I think to do it in a where command would look something like this.

| where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())


Note: This method is expecting the field Type and Assetname to both be available fields in the dataset up to the point of it's execution. So a simple example of making the "Type" field available from the multiselect would be

<base_search>
    ``` make the multiselect token value an available field in the dataset ```
    ``` Since it is common for multiselect token values to be formatted with double-quotes, doing a $<token_name>|s$ here should account for that ```
    ``` It is assumed that the field "Assetname" is available and derived from <base_search> above. ```
    | eval
        Type=$Type|s$
    | where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())

Examples: (with ADZ in Type token)

dtburrows3_0-1704387278104.png

(without ADZ in Type token)

dtburrows3_1-1704387316763.png

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-03-2024 07:54 AM

I think you could put in a change tag in the multiselect to evaluate a new token to use as a conditional filter based on the selection of the multiselect.

 

<input type="multiselect" token="Type" searchWhenChanged="true">
  <choice value="ADZ">ADZ</choice>
  ...
  <change>
    <eval token="assetname_filter">if(match('Type', "ADZ"), "match(Assetname, \"^\\S{2}Z\")", "isnotnull(Assetname)")</eval>
  </change>
  ...
</input>

 

And then in the search you are wanting to filter you can use the $assetname_filter$ token after a where command  like this

 

<base_search>
    | where $assetname_filter$

 


Examples of functionality:
    No ADZ selected (All assets showing)

dtburrows3_0-1704297150411.png

    ADZ one of the values selected in the multiselect (Only **Z* Assetname are in final output)

dtburrows3_1-1704297224464.png

 

Reply
Solved! Jump to solution

smanojkumar
Contributor
‎01-04-2024 04:18 AM

Hi @dtburrows3 ,

   Thanks for your response!

   If we need to add those two lined in a single search of macro, where we are receiving Type as a token from Search/dashboard, How to do that? 

 

   I tried this  way, It dosen't work

| where if(macth('Type', "ADZ"), "match(Assetname, \"^\\S{2}Z\")", "isnotnull(Assetname)")


Thanks in Advance!

0 Karma
Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 08:55 AM

the where command is expecting some sort of boolean result after the logic statement is evaluated. The if() function you shared is passing just another logic statement. I think to do it in a where command would look something like this.

| where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())


Note: This method is expecting the field Type and Assetname to both be available fields in the dataset up to the point of it's execution. So a simple example of making the "Type" field available from the multiselect would be

<base_search>
    ``` make the multiselect token value an available field in the dataset ```
    ``` Since it is common for multiselect token values to be formatted with double-quotes, doing a $<token_name>|s$ here should account for that ```
    ``` It is assumed that the field "Assetname" is available and derived from <base_search> above. ```
    | eval
        Type=$Type|s$
    | where if(((match('Type', "ADZ") AND match('Assetname', "^\S{2}Z")) OR NOT match('Type', "ADZ")), True(), False())

Examples: (with ADZ in Type token)

dtburrows3_0-1704387278104.png

(without ADZ in Type token)

dtburrows3_1-1704387316763.png

 

Tags (1)
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...