Solved: Re: How to filter the values of 5 columns using ch...

Hanliamadeus · ‎04-30-2019

Let's imagine that I have a table as the picture below displayed.
Column 5 listed the column names who have the "YES" value.

Now, I need to create a Checkbox, where lists the column names of "column1" to "column 4", if I click "Column2" option in the checkbox, the table would only display where Column5 has "Column2" value. If I click "Column1" and "Column3", the table will only show where column5 has "Column1/ Column3".

I know how to list all the values of Column 5 in the checkbox, but I just need to show the single value instead of the combined values.
Please tell me how to do that, I hope my explanation is clear, if you are confused, please let me know, thank you very much.

niketn · ‎05-01-2019

@Hanliamadeus please try the following run anywhere example based on the sample data provided which sets the token $tokColumnFilter$ set through the checkbox:

<form>
  <label>Checkbox Filter</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokColumnFilter" searchWhenChanged="true">
      <label>Filter based on Columns</label>
      <choice value="*">All</choice>
      <choice value="Column1">Column1</choice>
      <choice value="Column2">Column2</choice>
      <choice value="Column3">Column3</choice>
      <choice value="Column4">Column4</choice>
      <prefix>Column5="</prefix>
      <suffix>"</suffix>
      <delimiter>/</delimiter>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval data="YES,NO,YES,NO,Column1/Column3;NO,YES,NO,NO,Column2;YES,NO,YES,YES,Column1/Column3/Column4"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Column1=mvindex(data,0),
       Column2=mvindex(data,1),
       Column3=mvindex(data,2),
       Column4=mvindex(data,3),
       Column5=mvindex(data,4)
| fields Column*
| search $tokColumnFilter$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-01-2019

@Hanliamadeus please try the following run anywhere example based on the sample data provided which sets the token $tokColumnFilter$ set through the checkbox:

<form>
  <label>Checkbox Filter</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="tokColumnFilter" searchWhenChanged="true">
      <label>Filter based on Columns</label>
      <choice value="*">All</choice>
      <choice value="Column1">Column1</choice>
      <choice value="Column2">Column2</choice>
      <choice value="Column3">Column3</choice>
      <choice value="Column4">Column4</choice>
      <prefix>Column5="</prefix>
      <suffix>"</suffix>
      <delimiter>/</delimiter>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| fields - _time
| eval data="YES,NO,YES,NO,Column1/Column3;NO,YES,NO,NO,Column2;YES,NO,YES,YES,Column1/Column3/Column4"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Column1=mvindex(data,0),
       Column2=mvindex(data,1),
       Column3=mvindex(data,2),
       Column4=mvindex(data,3),
       Column5=mvindex(data,4)
| fields Column*
| search $tokColumnFilter$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Hanliamadeus · ‎05-02-2019

Thank you very much for your help! It's a good solution.

Sukisen1981 · ‎04-30-2019

what happens if i just choose column1 ? is it supposed to return rows 1 and 3 as the result? Also, why do you want a check box and not a multiselect input token?

How to filter the values of 5 columns using checkbox?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to filter the values of 5 columns using checkbox?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem