Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find events matching a multi-value field

davby
Explorer
‎06-19-2014 10:25 AM

I am defining a dashboard panel that uses a token $s_user$ that may contain a comma-separated list of values (it is set from $row.field$ for a multivalue field). I want to find events where the user field matches one of the values in $s_user$ (as well as some other criteria).

For example, if $s_user$ is "user1,user2,user3", then I want a search that does the equivalent of:

client=$client$ AND (user=user1 OR user=user2 OR user=user3)

What is the best way to accomplish this?

I have tried the following, which works but seems clumsy (particularly since I have several tokens like s_user):

client=$client$ AND [search * | head 1 | eval user=split("$s_user$", ",") | fields user | format]

I have also tried this, which sort of works:

client=$client$ | eval users=split("$s_user$", ",") | where mvfind(users, user) >= 0

But that I suspect that is far slower, is also clumsy, and won't do the right thing if the user field contains regexp metacharacters.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-19-2014 11:30 AM

Give this a try (should be faster than whatever you've tried so far)

client=$client$ AND [| gentimes start=-1 | eval user="$s_user$" | makemv delim="," user | mvexpand user | table user | format]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-19-2014 11:30 AM

Give this a try (should be faster than whatever you've tried so far)

client=$client$ AND [| gentimes start=-1 | eval user="$s_user$" | makemv delim="," user | mvexpand user | table user | format]
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-20-2014 06:12 AM

Great.. Please accept the answer if there are no followup question around the same.

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎08-25-2017 04:08 AM

@somesoni2, can you please help here.

I have exactly similar case and I tried the answer you gave, its taking only first value and not all the values.
index=xxx_index| search Project="abc Online" AND [|gentimes start=-1|eval ref_incident_u_n_1_group = "abc Online MDT Support, abc Online Support" | makemv delim="," ref_incident_u_n_1_group|mvexpand ref_incident_u_n_1_group|table ref_incident_u_n_1_group|format ] |stats count by ref_incident_u_n_1_group work_queue
I will be passing token to ref_incident_u_n_1_group with , delimiter as in the query. Here for stats I get results for "abc Online MDT Support" but not for "abc Online Support". Is it because of spaces..? what could be the reason? please suggest

0 Karma
Reply
Solved! Jump to solution

k_harini
Communicator
‎08-25-2017 07:30 PM

This is working now. Thanks much

0 Karma
Reply
Solved! Jump to solution

davby
Explorer
‎06-20-2014 03:41 AM

That seems to work, and taught me about gentimes and helped me understand more about format.

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...