Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to input value prefix/suffix and delimiter per value in a text token?

donovanw
Engager
‎11-07-2019 12:11 PM

Is it possible to add a per value prefix and suffix, and then divide by a delimiter to multiple values pasted into a textbox?
I have an sql search that I've inserted a search token as part of an IN function. The end result I'm looking for is for a user to simply copy values from say an excel sheet and paste them into the textbox, at which point each value will get an apostrophe prefix/suffix and be delimited by a comma.

Is this possible? The value prefix/suffix seems to be available on the multi-select insert, but not a standard textbox

Effectively I want something like this:

<input type="text" token="serials">
<label>Removed Serials</label>
<valueprefix>'</valueprefix>
<valuesuffix>'</valuesuffix>
<delimiter>,</delimiter>
</input>
  <panel>
  <table>
    <search>
      <query>| dbquery REPORT_DB "
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gaurav_maniar
Builder
‎11-07-2019 02:35 PM

Hi,

Try the below code, if it works you can hide the first row with depends.
The input values should be space separated - 111 222 333

<form theme="dark">
  <label>Serials</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="serials">
      <label>Removed Serials</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval input_sql="$serials$" | makemv delim=" " input_sql | mvexpand input_sql | eval input_sql="'".input_sql."'" | mvcombine delim="," input_sql | nomv input_sql</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="input_sql">$result.input_sql$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|dbquery REPORT_DB "Select * from abc IP.Serial IN ($input_sql$)"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

accept the answer if it helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

gaurav_maniar
Builder
‎11-07-2019 02:35 PM

Hi,

Try the below code, if it works you can hide the first row with depends.
The input values should be space separated - 111 222 333

<form theme="dark">
  <label>Serials</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="serials">
      <label>Removed Serials</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval input_sql="$serials$" | makemv delim=" " input_sql | mvexpand input_sql | eval input_sql="'".input_sql."'" | mvcombine delim="," input_sql | nomv input_sql</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="input_sql">$result.input_sql$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|dbquery REPORT_DB "Select * from abc IP.Serial IN ($input_sql$)"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

accept the answer if it helps.

Reply
Solved! Jump to solution

donovanw
Engager
‎11-07-2019 03:01 PM

That definitely helps, thanks a tonne for this.

0 Karma
Reply
Solved! Jump to solution

gaurav_maniar
Builder
‎11-07-2019 12:22 PM

Provide one input and expected query example

0 Karma
Reply
Solved! Jump to solution

donovanw
Engager
‎11-07-2019 12:58 PM

Heya,

Yes of course.
Input example into the textbox would be:

218823181
218824157
218823185

But I need it to be formatted like this for use:
'218823181',
'218824157',
'218823185'

Example of token use:
| dbquery REPORT_DB "
Select *
[...]
WHERE IP.Serial IN ($serials$)

0 Karma
Reply
Solved! Jump to solution

jacobpevans
Motivator
‎11-07-2019 01:37 PM

First off, you want double quotes instead of single.

Second, if you'll never have spaces in the values, you don't need quotes at all, e.g.

 <input type="text" token="serials">
 <label>Removed Serials</label>
 <delimiter>,</delimiter>
 </input>

... | where IP.Serial IN ($serials$)

Edit: Also, try changing where to search

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...