Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a search based on multi-value fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a search based on multi-value fields
poorni_p
Explorer
06-21-2019
09:31 PM
I am new to Splunk, currently working on a Shift roster. There are 3 teams and 3 members in each team(totally 9 members).
The roster input file is a CSV file and I haven't defined any lookup yet.
Team 1 - T1 M1, T1 M2, T1 M3
Team 2 - T2 M1, T2 M2, T2 M3
Team 3 - T3 M1, T3 M2, T3 M3
The roster input file looks similar to the below:
Date Day T1 M1 T1 M2 T1 M3 T2 M1 T2 M2,T2 M3,T3 M1,T3 M2,T3 M3
20/1 Thu Day Night Day Night Night Night....
21/1 ...
22/1 ...
I have created a Drop down and multivalue fields.
<input type="dropdown" token="filterby_name" searchWhenChanged="true">
<label>Filter by</label>
<choice value="All">All</choice>
<choice value="Team">Team</choice>
<choice value="Name">Name</choice>
<default>All</default>
<change>
<unset token="form.tokSystem"></unset>
</change>
</input>
<input type="multiselect" token="tokSystem" searchWhenChanged="true">
<label>Pick one</label>
<fieldForLabel>$filterby_name$</fieldForLabel>
<fieldForValue>$filterby_name$</fieldForValue>
<search>
<query> |makeresults
| eval All="All",
Team="Team1,Team2,Team3,
Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
| fields $filterby_name$ | makemv $filterby_name$ delim="," | mvexpand $filterby_name$</query>
I am trying to create shift roster as a table based on the results of the multivalued field like below:
It works well when I select only one value for multivalued filed.
ex: if $tokSystem$ is Team1 , search below:
index="roster_fd" sourcetype="roster" | table Date Day "T1 M1","T1 M2","T1 M3" | where like ("$tokSystem$","Team 1")
But not sure how to define search query if there are more than 1 value in the multivalue field:
If $tokSystem$ is Team1 and Team2 , search should return "T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3 " members shift roster.
ex: | table Date Day "T1 M1", "T1 M2","T1 M3","T2 M1","T2 M2","T2 M3 "
else if $tokSystem$ is Team2 and Team3, search should return shift roster for "T2 M1,T2 M2,T2 M3 ,T3 M1,T3 M2,T3 M3".
ex: | table Date Day "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"
else if $tokSystem$ is Team1, Team2 and Team3, search should return shift roster for all team members.
ex: | table Date Day "T1 M1","T1 M2",T1 M3" "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"
Please advise how to define search query for the above. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DavidHourani
Super Champion
06-22-2019
10:02 AM
Hi @poorni_p,
Your dropdown should be something like this -- This is a run anywhere snippet so you can test the content of the token :
<form>
<label>Test Dashboard</label>
<fieldset submitButton="false">
<input type="multiselect" token="tokSystem" searchWhenChanged="true">
<label>Pick one</label>
<fieldForLabel>Name</fieldForLabel>
<fieldForValue>Name</fieldForValue>
<search>
<query>|makeresults | eval All="All",
Team="Team1,Team2,Team3",
Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
| makemv Name delim="," | mvexpand Name | table Name</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> ,</delimiter>
</input>
</fieldset>
<row>
<panel>
<html >
<b>$tokSystem$</b>
</html>
</panel>
</row>
</form>
As for your search you can just modify it and make it as follows :
index="roster_fd" sourcetype="roster" | table Date Day $tokSystem$
This should work for you. Let me know if it helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poorni_p
Explorer
06-22-2019
02:53 PM
Thanks David,
this is awesome when I select a Name (ex: T1 M1 or ..) ,
How to get roster when i select Team1 and Team2 in the multiselect?
the output should be
|table Date,Day,T1 M1 ,T1 M2 , T1 M3, T2 M1,T2 M2,T2 M3
i am looking for something like if - else if
if($tokSystem$ is Team1 and Team2) return roster for T1 M1 ,T1 M2 , T1 M3, T2 M1,T2 M2,T2 M3 members
if($tokSystem$ is Team2 and Team3) return roster for T2 M1,T2 M2,T2 M3, T3 M1,T3 M2,T3 M3 members
...
Get Updates on the Splunk Community!
The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...
The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...
Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25
Hello Splunkers,
Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...
Community Spotlight: A Splunk Expert's Journey
In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
