Re: How to filter events using text box values?

karthi2809 · ‎11-19-2024

How to filter events in the dashboard with help of search box.In the search box i have to give multiple strings like error,warning so i need to sort out only error and warning logs.

In Dashboard XML:

<input type="text" token="Text_Token" searchWhenChanged="true">
<label>Error Search (comm-seprated)</label>

</input>

index=test Message="*"| eval error_list=split("$Text_Token$", ",")| table PST_Time Environment Host Component FileName Message | search Message IN ("error_list") OR Environment=QDEV Component IN (AdminServer) FileName=*| search NOT Message IN ("*null*")|sort PST_Time

yuanliu · ‎11-19-2024

Let me first comment that your use case should NOT be a freetext "search box" as input. It should be a multiselect. Play with the following example and see if it fits your needs:

<form version="1.1" theme="light">
  <label>Multivalue input</label>
  <description>https://community.splunk.com/t5/Splunk-Search/How-to-filter-events-using-text-box-values/m-p/704698</description>
  <fieldset submitButton="false">
    <input type="multiselect" token="multivalue_field_tok" searchWhenChanged="true">
      <label>select all field values</label>
      <choice value="INFO">INFO</choice>
      <choice value="WARNING">WARNING</choice>
      <choice value="ERROR">ERROR</choice>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="multiselect" token="multivalue_term_tok" searchWhenChanged="true">
      <label>select all terms</label>
      <choice value="INFO">INFO</choice>
      <choice value="WARNING">WARNING</choice>
      <choice value="ERROR">ERROR</choice>
      <choice value="*">All</choice>
      <default>*</default>
      <delimiter> OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index = _internal log_level IN ($multivalue_field_tok$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
    <panel>
      <event>
        <title>no field name</title>
        <search>
          <query>index = _internal ($multivalue_term_tok$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

If comma-delimited freetext term input is needed, it is doable, but will not be as efficient as the above. Please state your use case clearly (without help of SPL) so volunteers can give you concrete help.

karthi2809 · ‎11-29-2024

Hi @yuanliu

In my case i need to search in textbox with dynamic values from message field not with predefined values.

bowesmana · ‎12-01-2024

@karthi2809 I tend to use a text box where I can insert a where clause, like this

  <row id="button_row">
    <panel>
      <input id="events_where" type="text" token="where_clause" searchWhenChanged="true">
        <label>Event filter where clause</label>
        <default></default>
      </input>
      <event>
        <search>
          <query>
index=_internal host=bla
| where $where_clause$
          </query>
          <earliest>$selection.earliest$</earliest>
          <latest>$selection.latest$</latest>
        </search>
      </event>
    </panel>
  </row>

it gives you flexibility to construct whatever you want, so as long as you know how to write valid SPL queries, you can use whatever eval statements you like, e.g.

You can do it with a search clause, but I find more flexibility to use eval based filters.

You can also make your text box nice and wide using the id="xxx" in the <input> and then add this css

  <row depends="$CSS$">
    <panel>
      <html>
        <style>
          #events_where .splunk-textinput { width: 400px !important; }
        </style>
      </html>
    </panel>
  </row>

yuanliu · ‎11-30-2024

In my case i need to search in textbox with dynamic values from message field not with predefined values.

Dynamic doesn't mean it should be free text. This next example gives you two inputs, one a truly dynamic, multiselect, the other a free text if you absolutely want to go that route.

<form version="1.1">
  <label>Multivalue input</label>
  <description>https://community.splunk.com/t5/Splunk-Search/How-to-filter-events-using-text-box-values/m-p/704698</description>
  <fieldset submitButton="false">
    <input type="multiselect" token="multiselect_tok" searchWhenChanged="true">
      <label>select all applicable</label>
      <choice value="*">All</choice>
      <initialValue>*</initialValue>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <search>
        <query>index = _internal log_level = *
| stats count by log_level</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="multivalue_text_tok" searchWhenChanged="true">
      <label>enter comma separated</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>Using &gt;$multiselect_tok$&lt;</title>
        <search>
          <query>index = _internal log_level IN ($multiselect_tok$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
    <panel>
      <event>
        <title>Using &gt;$multivalue_text_tok$&lt;</title>
        <search>
          <query>index = _internal
    [| makeresults
    | fields - _time
    | eval log_level = upper(trim(split("$multivalue_text_tok$", ",")))]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

The problem with free text is that people make far more mistakes than machines do. My code tries to cope with that as much as possible. But unless you have a use case that uses free text in a meaningful way, forget comma delimited input.

gcusello · ‎11-19-2024

Hi @karthi2809 ,

at first, if you have the fields in the main search, don't use the search command in the secondary lines but always in the main,

then, the easiest way it to use the OR boolean operator to divide words to search, instead commas:

index=test Message="* ($Text_Token$) 
| sort PST_Time

Ciao.

Giuseppe

karthi2809 · ‎11-19-2024

@gcusello If i want to search multiple keywords using comma seperate in the same text field.

karthi2809 · ‎11-19-2024

I am using multiple filter in that Error search is one of the filter in which i need to type the values or multiple values with comma and i need to filter the result

How to filter events using text box values?

eval

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

Are you a member of the Splunk Community?

How to filter events using text box values?

eval

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?