Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve Splunk Dashboard text filter?

CodingMaestro
Path Finder
‎05-11-2023 04:07 AM

I have a splunk dashboard that looks like below,

CodingMaestro_0-1683802984525.png

 And i have added the text filter. But when i try to search of the text filter it works. But it only works when i search by one App. But i want it to search so that if i search,
Max, Pan, Ian
It will give me the details for the 3 rows. I have 4000 unique apps so i want it so that if i search Max, Pan, Ian it will give me 3 row details.

If someone can help me on this, it would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 05:48 AM

In that case, you should set up a change handler for the input to parse the text field and create a token with the values in quotes e.g. "Max", "Pan", "Ian", then you can use the token to filter with the IN clause

... app IN ($applist$)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 05:09 AM

I presume you have an text input and are using the token in the search for the table.

Are you working with Classic / SimpleXML dashboard or Dashboard Studio?

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎05-11-2023 05:39 AM

Yes that's correct,

And its a classic dashboard

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 05:48 AM

In that case, you should set up a change handler for the input to parse the text field and create a token with the values in quotes e.g. "Max", "Pan", "Ian", then you can use the token to filter with the IN clause

... app IN ($applist$)

 

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎05-11-2023 06:35 AM

This Alone worked, Thanks.

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎05-11-2023 06:08 AM

Could you please explain further how to set up a change handler, and how to do it. Thanks.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 06:32 AM

I thought by your handle you were a Maestro? 😀

Depending on how sophisticated you want to be in preprocessing the text input (here I have just removed embedded spaces), you could try something like this

<form version="1.1">
  <label>Text parsing</label>
  <fieldset submitButton="false">
    <input type="text" token="apps">
      <label>Application filter</label>
      <change>
        <eval token="app_filter">"\"".mvjoin(split(replace($apps$," ",""),","),"\",\"")."\""</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>... app IN ($app_filter$)</html>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...