How to build a query from 2 different multivalue i...

ByteFlinger · ‎11-07-2017

I have a bunch of indexes in the format of <environment>-<machineType>

This is something like test-manager, staging-manager, staging-client

I would like to build a dashboard where the user can select 2 different multi-value inputs, one for the environment and another for the machine type which would then reflect on the graphs themselves.

I can build a dynamic multi-valued input for environment using a query like

| eventcount summarize=false index="*" | rex field=index "(?<environment>.*?)-.*?$" | dedup environment | fields environment

or just a static one, doesn't matter much.

What I am having a hard time with is how do I join the user selections into a search?

An example would be the user selects test and qa for environment and then selects manager for machine type and I am looking for the query to contain something like

index="test-manager" OR index="qa-manager"

How would one go about this?

deepashri_123 · ‎12-12-2017

Hi,

You can try using token prefix and token suffixes as token itself.
For eg. for environment , token suffix will be -$machinetype$ and for machinetype token prefix will be -$environment$.

Hope this helps!!!!!!!

DalJeanis · ‎11-07-2017

There are many ways. Probably the easiest, if the words are all distinct on both sides, is to just have each side wildcarded so that...

(index="test-*" OR index="staging-*" ...) AND (index="*-manager" OR  index="*-client"... )

How to build a query from 2 different multivalue inputs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation