Splunk Search

How to build a query from 2 different multivalue inputs


I have a bunch of indexes in the format of <environment>-<machineType>

This is something like test-manager, staging-manager, staging-client

I would like to build a dashboard where the user can select 2 different multi-value inputs, one for the environment and another for the machine type which would then reflect on the graphs themselves.

I can build a dynamic multi-valued input for environment using a query like

| eventcount summarize=false index="*" | rex field=index "(?<environment>.*?)-.*?$" | dedup environment | fields environment

or just a static one, doesn't matter much.

What I am having a hard time with is how do I join the user selections into a search?

An example would be the user selects test and qa for environment and then selects manager for machine type and I am looking for the query to contain something like

index="test-manager" OR index="qa-manager"

How would one go about this?

Tags (2)
0 Karma



You can try using token prefix and token suffixes as token itself.
For eg. for environment , token suffix will be -$machinetype$ and for machinetype token prefix will be -$environment$.

Hope this helps!!!!!!!

0 Karma


There are many ways. Probably the easiest, if the words are all distinct on both sides, is to just have each side wildcarded so that...

(index="test-*" OR index="staging-*" ...) AND (index="*-manager" OR  index="*-client"... )
0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...