Splunk Search

How to input value prefix/suffix and delimiter per value in a text token?

Engager

Is it possible to add a per value prefix and suffix, and then divide by a delimiter to multiple values pasted into a textbox?
I have an sql search that I've inserted a search token as part of an IN function. The end result I'm looking for is for a user to simply copy values from say an excel sheet and paste them into the textbox, at which point each value will get an apostrophe prefix/suffix and be delimited by a comma.

Is this possible? The value prefix/suffix seems to be available on the multi-select insert, but not a standard textbox

Effectively I want something like this:

<input type="text" token="serials">
<label>Removed Serials</label>
<valueprefix>'</valueprefix>
<valuesuffix>'</valuesuffix>
<delimiter>,</delimiter>
</input>
  <panel>
  <table>
    <search>
      <query>| dbquery REPORT_DB "
0 Karma
1 Solution

Hi,

Try the below code, if it works you can hide the first row with depends.
The input values should be space separated - 111 222 333

<form theme="dark">
  <label>Serials</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="serials">
      <label>Removed Serials</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval input_sql="$serials$" | makemv delim=" " input_sql | mvexpand input_sql | eval input_sql="'".input_sql."'" | mvcombine delim="," input_sql | nomv input_sql</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="input_sql">$result.input_sql$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|dbquery REPORT_DB "Select * from abc IP.Serial IN ($input_sql$)"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

accept the answer if it helps.

View solution in original post

Hi,

Try the below code, if it works you can hide the first row with depends.
The input values should be space separated - 111 222 333

<form theme="dark">
  <label>Serials</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="serials">
      <label>Removed Serials</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults | eval input_sql="$serials$" | makemv delim=" " input_sql | mvexpand input_sql | eval input_sql="'".input_sql."'" | mvcombine delim="," input_sql | nomv input_sql</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
          <done>
            <set token="input_sql">$result.input_sql$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>|dbquery REPORT_DB "Select * from abc IP.Serial IN ($input_sql$)"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

accept the answer if it helps.

View solution in original post

Engager

That definitely helps, thanks a tonne for this.

0 Karma

Provide one input and expected query example

0 Karma

Engager

Heya,

Yes of course.
Input example into the textbox would be:

218823181
218824157
218823185

But I need it to be formatted like this for use:
'218823181',
'218824157',
'218823185'

Example of token use:
| dbquery REPORT_DB "
Select *
[...]
WHERE IP.Serial IN ($serials$)

0 Karma

Motivator

First off, you want double quotes instead of single.

Second, if you'll never have spaces in the values, you don't need quotes at all, e.g.

 <input type="text" token="serials">
 <label>Removed Serials</label>
 <delimiter>,</delimiter>
 </input>

... | where IP.Serial IN ($serials$)

Edit: Also, try changing where to search

Cheers,
Jacob
0 Karma