Splunk Search

How come our AND operator is not working?

kumar_pashupati
New Member

Hi ,

I am trying the checkbox with multiple selections. I have four options grey, red, yellow and green. Once I am selecting only one option e.g. red, it's working fine. Also, when I am selecting two colors e.g. red, green and grey...this is also working .But, whenever I am selecting more than two options, it's not working. I don't know where is the mistake. Please help me. Please find the below code.

<label>Select any one </label>
<choice value="grey">Grey</choice>
<choice value="red">Red</choice>
<choice value="yellow">Yellow</choice>
<choice value="green">Green</choice>

<!-- this is  working -->  
  <condition match="$pp$==&quot;grey&quot;">
    <set token="query_1"></set> 
    <unset token="query_2"></unset>
    <unset token="query_3"></unset>
    <unset token="query_4"></unset>
    <unset token="query_5"></unset>
    <unset token="query_6"></unset>
    <unset token="query_7"></unset>
    <unset token="query_8"></unset>
    <unset token="query_9"></unset>
    <unset token="query_10"></unset>
    <unset token="query_11"></unset>
    <unset token="query_12"></unset>
    <unset token="query_13"></unset>
    <unset token="query_14"></unset>
    <unset token="query_15"></unset>

  </condition> 

    <unset token="query_1"></unset> 
    <unset token="query_2"></unset>
    <unset token="query_3"></unset>
    <unset token="query_4"></unset>
    <unset token="query_5"></unset>
    <unset token="query_6"></unset>
    <unset token="query_7"></unset>
    <unset token="query_8"></unset>
    <unset token="query_9"></unset>
    <unset token="query_10"></unset>
    <unset token="query_11"></unset>
    <set token="query_12"></set>
    <unset token="query_13"></unset>
    <unset token="query_14"></unset>
    <unset token="query_15"></unset>

  </condition>

    <unset token="query_1"></unset> 
    <unset token="query_2"></unset>
    <unset token="query_3"></unset>
    <unset token="query_4"></unset>
    <unset token="query_5"></unset>
    <unset token="query_6"></unset>
    <unset token="query_7"></unset>
    <unset token="query_8"></unset>
    <unset token="query_9"></unset>
    <unset token="query_10"></unset>
    <unset token="query_11"></unset>
    <unset token="query_12"></unset>
    <unset token="query_13"></unset>
    <unset token="query_14"></unset>
    <set token="query_15"></set>

  </condition>

</change>  
Tags (2)
0 Karma

kumar_pashupati
New Member

Why the below syntax is not working??

condition match="match($pp$,"grey") AND match($pp$,"yellow") AND match($pp$,"green")"

0 Karma

niketn
Legend

[Updated Answer]

Added run anywhere example based on the question asked to set tokens from a check box with multiple options like Grey Red and Green (Other options can be added as per need). An independent search takes the token value from multiselect and using SPL decides various condition block matches. The match then can be used to set various tokens in the search event handler i.e. <done> block in the following example:

alt text

<form>
  <label>Multiple options Checkbox</label>
  <fieldset submitButton="false">
  </fieldset>
  <!-- Independent Search To Set Tokens for Multiple Options checked in Checkbox -->
  <search>
    <query>
| makeresults
| fields - _time
| eval SelectedColors="$tokColorCheckBox$"
| eval match=case(match(SelectedColors,"grey") AND match(SelectedColors,"red") AND match(SelectedColors,"green"),"grey_red_green",
  match(SelectedColors,"grey") AND match(SelectedColors,"red") AND NOT match(SelectedColors,"green"),"grey_red",
  match(SelectedColors,"grey") AND match(SelectedColors,"green") AND NOT match(SelectedColors,"red"),"grey_green",
  match(SelectedColors,"red") AND match(SelectedColors,"green") AND NOT match(SelectedColors,"grey"),"red_green",
  match(SelectedColors,"grey") AND NOT match(SelectedColors,"red") AND NOT match(SelectedColors,"green"),"grey",
  match(SelectedColors,"red") AND NOT match(SelectedColors,"grey") AND NOT match(SelectedColors,"green"),"red",
  match(SelectedColors,"green") AND NOT match(SelectedColors,"red") AND NOT match(SelectedColors,"grey"),"green",
  true(), "unmatched")
    </query>
    <done>
      <condition match="$result.match$==&quot;grey_red_green&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition match="$result.match$==&quot;grey_red&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition match="$result.match$==&quot;grey_green&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition match="$result.match$==&quot;red_green&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition match="$result.match$==&quot;grey&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition match="$result.match$==&quot;red&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition match="$result.match$==&quot;green&quot;">
        <set token="tokTestMessage">$result.match$</set>
      </condition>
      <condition>
        <set token="tokTestMessage">$result.match$</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <input type="checkbox" token="tokColorCheckBox" searchWhenChanged="true">
        <label>Pick Color/s</label>
        <choice value="grey">Grey</choice>
        <choice value="red">Red</choice>
        <choice value="green">Green</choice>
      </input>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>Check Box Selected Option: <b>$tokColorCheckBox$</b></div>
        <div>Condition Block for tokens: <b>$tokTestMessage$</b></div>
      </html>
    </panel>
  </row>
</form>

Please try out and confirm! Add conditions for yellow as per your use case.


@kumar_pashupati refer to one of my older answers to use an independent search to set tokens from multi-value inputs like check box or multiselect: https://answers.splunk.com/answers/681330/can-i-hideunhide-specific-text-boxes-using-a-singl.html?ch...

The answer also documents the existing issue with Multiselect and Check Box inputs that they do not allow multiple values to be passed on as predefined tokens. Please adjust independent search as per your use case and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @kumar_pashupati,

Did you have a chance to check out niketnilay's response? If their answer worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

0 Karma

kumar_pashupati
New Member

Hi mstjohn_splunk

please check the above screenshot, and tell me why AND is not working. It is working for two AND but not more than two.

0 Karma

niketn
Legend

@kumar_pashupati, I had provided an example with independent search to perform multiple matches and set the final tokens for checkbox. Present under updated answer based on your comment. Did you try that? I had also provided explanation as to why your match was not working how to make match work under condition block as a comment. Did you try that?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kumar_pashupati
New Member

Please refer to the below image...I am not understanding why the AND operator is not working . Kindly help me on this.

alt text

0 Karma

niketn
Legend

@kumar_pashupati the match inside <condition> block does not work same as that in SPL. In other words inside condition block only exact match can be met. Since the check boxes yellow, grey and red can be checked in any sequence you may have to use condition block like the following:

  <condition match="$pp$==&quot;grey red green&quot; OR $pp$==&quot;grey green red&quot; OR $pp$==&quot;green grey red&quot; OR $pp$==&quot;green red grey&quot; OR $pp$==&quot;red green grey&quot; OR $pp$==&quot;red grey green&quot;">
    <!-- SET YOUR TOKENS HERE -->
  </condition>

In order to reduce the complexity I have provided an example with independent search where $pp$ is assigned to a variable and then SPL match is applied on the same to set the required token in the search event handler. Since the example I have provided is a run-anywhere example, I would recommend you to try out the same and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kumar_pashupati
New Member

this is the input type for checkbox

0 Karma

renjith_nair
Legend

Please paste the section which is not working as well. And also if you want Select any one why don't you use radio button?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

kumar_pashupati
New Member

condition match="match($pp$,"grey") AND match($pp$,"yellow") AND match($pp$,"green")"

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...