Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve Splunk Dashboard text filter?

CodingMaestro
Path Finder
‎05-11-2023 04:07 AM

I have a splunk dashboard that looks like below,

CodingMaestro_0-1683802984525.png

 And i have added the text filter. But when i try to search of the text filter it works. But it only works when i search by one App. But i want it to search so that if i search,
Max, Pan, Ian
It will give me the details for the 3 rows. I have 4000 unique apps so i want it so that if i search Max, Pan, Ian it will give me 3 row details.

If someone can help me on this, it would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 05:48 AM

In that case, you should set up a change handler for the input to parse the text field and create a token with the values in quotes e.g. "Max", "Pan", "Ian", then you can use the token to filter with the IN clause

... app IN ($applist$)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 05:09 AM

I presume you have an text input and are using the token in the search for the table.

Are you working with Classic / SimpleXML dashboard or Dashboard Studio?

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎05-11-2023 05:39 AM

Yes that's correct,

And its a classic dashboard

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 05:48 AM

In that case, you should set up a change handler for the input to parse the text field and create a token with the values in quotes e.g. "Max", "Pan", "Ian", then you can use the token to filter with the IN clause

... app IN ($applist$)

 

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎05-11-2023 06:35 AM

This Alone worked, Thanks.

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎05-11-2023 06:08 AM

Could you please explain further how to set up a change handler, and how to do it. Thanks.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2023 06:32 AM

I thought by your handle you were a Maestro? 😀

Depending on how sophisticated you want to be in preprocessing the text input (here I have just removed embedded spaces), you could try something like this

<form version="1.1">
  <label>Text parsing</label>
  <fieldset submitButton="false">
    <input type="text" token="apps">
      <label>Application filter</label>
      <change>
        <eval token="app_filter">"\"".mvjoin(split(replace($apps$," ",""),","),"\",\"")."\""</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>... app IN ($app_filter$)</html>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...