Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a search based on multi-value fields

poorni_p
Explorer
‎06-21-2019 09:31 PM

I am new to Splunk, currently working on a Shift roster. There are 3 teams and 3 members in each team(totally 9 members).
The roster input file is a CSV file and I haven't defined any lookup yet.

Team 1 - T1 M1, T1 M2, T1 M3
Team 2 - T2 M1, T2 M2, T2 M3
Team 3 - T3 M1, T3 M2, T3 M3

The roster input file looks similar to the below:

Date Day T1 M1 T1 M2 T1 M3 T2 M1 T2 M2,T2 M3,T3 M1,T3 M2,T3 M3
20/1 Thu  Day     Night    Day    Night   Night  Night....
21/1 ...
22/1 ...

I have created a Drop down and multivalue fields.

 <input type="dropdown" token="filterby_name" searchWhenChanged="true">
  <label>Filter by</label>
  <choice value="All">All</choice>
  <choice value="Team">Team</choice>
  <choice value="Name">Name</choice>
  <default>All</default>
  <change>
    <unset token="form.tokSystem"></unset>
  </change>
</input>

<input type="multiselect" token="tokSystem" searchWhenChanged="true">
  <label>Pick one</label>
  <fieldForLabel>$filterby_name$</fieldForLabel>
  <fieldForValue>$filterby_name$</fieldForValue>
  <search>
      <query> |makeresults
      | eval All="All",
      Team="Team1,Team2,Team3,
      Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
      | fields $filterby_name$   | makemv $filterby_name$ delim=","   | mvexpand $filterby_name$</query>

I am trying to create shift roster as a table based on the results of the multivalued field like below:

It works well when I select only one value for multivalued filed.
ex: if $tokSystem$ is Team1 , search below: 

          index="roster_fd" sourcetype="roster" | table Date Day "T1 M1","T1 M2","T1 M3" | where like ("$tokSystem$","Team 1")

But not sure how to define search query if there are more than 1 value in the multivalue field:

If $tokSystem$ is Team1 and Team2 , search should return "T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3 " members shift roster.
ex: | table Date Day "T1 M1", "T1 M2","T1 M3","T2 M1","T2 M2","T2 M3 "

else if $tokSystem$ is Team2 and Team3, search should return shift roster for "T2 M1,T2 M2,T2 M3 ,T3 M1,T3 M2,T3 M3".
ex: | table Date Day "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"

else if $tokSystem$ is Team1, Team2 and Team3, search should return shift roster for all team members.
ex: | table Date Day "T1 M1","T1 M2",T1 M3" "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"

Please advise how to define search query for the above. Thanks in advance.

0 Karma
Reply

DavidHourani
Super Champion
‎06-22-2019 10:02 AM

Hi @poorni_p,

Your dropdown should be something like this -- This is a run anywhere snippet so you can test the content of the token :

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokSystem" searchWhenChanged="true">
      <label>Pick one</label>
      <fieldForLabel>Name</fieldForLabel>
      <fieldForValue>Name</fieldForValue>
      <search>
        <query>|makeresults | eval All="All",
       Team="Team1,Team2,Team3",
       Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
       | makemv Name delim=","   | mvexpand Name | table Name</query>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <html >
         <b>$tokSystem$</b>
        </html>
    </panel>
  </row>
</form>

As for your search you can just modify it and make it as follows :

 index="roster_fd" sourcetype="roster" | table Date Day $tokSystem$

This should work for you. Let me know if it helps.

Cheers,
David

0 Karma
Reply

poorni_p
Explorer
‎06-22-2019 02:53 PM

Thanks David,

this is awesome when I select a Name (ex: T1 M1 or ..) ,

How to get roster when i select Team1 and Team2 in the multiselect?

the output should be
|table Date,Day,T1 M1 ,T1 M2 , T1 M3, T2 M1,T2 M2,T2 M3

i am looking for something like if - else if
if($tokSystem$ is Team1 and Team2) return roster for T1 M1 ,T1 M2 , T1 M3, T2 M1,T2 M2,T2 M3 members
if($tokSystem$ is Team2 and Team3) return roster for T2 M1,T2 M2,T2 M3, T3 M1,T3 M2,T3 M3 members
...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...