Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a search based on multi-value fields

poorni_p
Explorer
‎06-21-2019 09:31 PM

I am new to Splunk, currently working on a Shift roster. There are 3 teams and 3 members in each team(totally 9 members).
The roster input file is a CSV file and I haven't defined any lookup yet.

Team 1 - T1 M1, T1 M2, T1 M3
Team 2 - T2 M1, T2 M2, T2 M3
Team 3 - T3 M1, T3 M2, T3 M3

The roster input file looks similar to the below:

Date Day T1 M1 T1 M2 T1 M3 T2 M1 T2 M2,T2 M3,T3 M1,T3 M2,T3 M3
20/1 Thu  Day     Night    Day    Night   Night  Night....
21/1 ...
22/1 ...

I have created a Drop down and multivalue fields.

 <input type="dropdown" token="filterby_name" searchWhenChanged="true">
  <label>Filter by</label>
  <choice value="All">All</choice>
  <choice value="Team">Team</choice>
  <choice value="Name">Name</choice>
  <default>All</default>
  <change>
    <unset token="form.tokSystem"></unset>
  </change>
</input>

<input type="multiselect" token="tokSystem" searchWhenChanged="true">
  <label>Pick one</label>
  <fieldForLabel>$filterby_name$</fieldForLabel>
  <fieldForValue>$filterby_name$</fieldForValue>
  <search>
      <query> |makeresults
      | eval All="All",
      Team="Team1,Team2,Team3,
      Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
      | fields $filterby_name$   | makemv $filterby_name$ delim=","   | mvexpand $filterby_name$</query>

I am trying to create shift roster as a table based on the results of the multivalued field like below:

It works well when I select only one value for multivalued filed.
ex: if $tokSystem$ is Team1 , search below: 

          index="roster_fd" sourcetype="roster" | table Date Day "T1 M1","T1 M2","T1 M3" | where like ("$tokSystem$","Team 1")

But not sure how to define search query if there are more than 1 value in the multivalue field:

If $tokSystem$ is Team1 and Team2 , search should return "T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3 " members shift roster.
ex: | table Date Day "T1 M1", "T1 M2","T1 M3","T2 M1","T2 M2","T2 M3 "

else if $tokSystem$ is Team2 and Team3, search should return shift roster for "T2 M1,T2 M2,T2 M3 ,T3 M1,T3 M2,T3 M3".
ex: | table Date Day "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"

else if $tokSystem$ is Team1, Team2 and Team3, search should return shift roster for all team members.
ex: | table Date Day "T1 M1","T1 M2",T1 M3" "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"

Please advise how to define search query for the above. Thanks in advance.

0 Karma
Reply

DavidHourani
Super Champion
‎06-22-2019 10:02 AM

Hi @poorni_p,

Your dropdown should be something like this -- This is a run anywhere snippet so you can test the content of the token :

<form>
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokSystem" searchWhenChanged="true">
      <label>Pick one</label>
      <fieldForLabel>Name</fieldForLabel>
      <fieldForValue>Name</fieldForValue>
      <search>
        <query>|makeresults | eval All="All",
       Team="Team1,Team2,Team3",
       Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
       | makemv Name delim=","   | mvexpand Name | table Name</query>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <html >
         <b>$tokSystem$</b>
        </html>
    </panel>
  </row>
</form>

As for your search you can just modify it and make it as follows :

 index="roster_fd" sourcetype="roster" | table Date Day $tokSystem$

This should work for you. Let me know if it helps.

Cheers,
David

0 Karma
Reply

poorni_p
Explorer
‎06-22-2019 02:53 PM

Thanks David,

this is awesome when I select a Name (ex: T1 M1 or ..) ,

How to get roster when i select Team1 and Team2 in the multiselect?

the output should be
|table Date,Day,T1 M1 ,T1 M2 , T1 M3, T2 M1,T2 M2,T2 M3

i am looking for something like if - else if
if($tokSystem$ is Team1 and Team2) return roster for T1 M1 ,T1 M2 , T1 M3, T2 M1,T2 M2,T2 M3 members
if($tokSystem$ is Team2 and Team3) return roster for T2 M1,T2 M2,T2 M3, T3 M1,T3 M2,T3 M3 members
...

0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!