Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass a multiselect parameter to a search?

M_Chong
Engager
‎03-04-2016 12:23 PM

I have a multiselect on session_id and created a search to generate session_id's for a particular user. I created a user text box and passed the $user$ to the session_id multiselect where it populates that $user$ session id. I want the option to select specific session_Id as well as select all. I set the default value to ALL as well defined all=*. When the search populates, it returns all users' session ID's instead of that particular user. Any thoughts?

Reply
1 Solution
Solved! Jump to solution
Solution

gyslainlatsa
Motivator
‎03-04-2016 02:20 PM

hi M_chong,

try something like this:

 <fieldset autoRun="true" submitButton="false">

    <input type="text" token="user" searchWhenChanged="true">
      <label>Enter a user:</label>
      <default>user1</default>
    </input>

    <input type="multiselect" token="session_id_token" searchWhenChanged="true">
        <default>*</default>
        <prefix>(</prefix>
        <suffix>)</suffix>
        <valuePrefix>session_id="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <choice value="*">ALL</choice>
        <populatingSearch earliest="0" latest="" fieldForLabel="session_id" fieldForValue="session_id">
        index=name_index user=$user$  | stats count by session_id
        </populatingSearch>
      </input>

  </fieldset>

View solution in original post

Reply
Solved! Jump to solution
Solution

gyslainlatsa
Motivator
‎03-04-2016 02:20 PM

hi M_chong,

try something like this:

 <fieldset autoRun="true" submitButton="false">

    <input type="text" token="user" searchWhenChanged="true">
      <label>Enter a user:</label>
      <default>user1</default>
    </input>

    <input type="multiselect" token="session_id_token" searchWhenChanged="true">
        <default>*</default>
        <prefix>(</prefix>
        <suffix>)</suffix>
        <valuePrefix>session_id="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <choice value="*">ALL</choice>
        <populatingSearch earliest="0" latest="" fieldForLabel="session_id" fieldForValue="session_id">
        index=name_index user=$user$  | stats count by session_id
        </populatingSearch>
      </input>

  </fieldset>
Reply
Solved! Jump to solution

M_Chong
Engager
‎03-08-2016 05:51 AM

Thank you Gyslainlatsa.

I used the following and cannot get the results to populate on a dashboard panel:

VPN Search Clone
VPN search and session_ID

<input type="text" token="user" searchWhenChanged="true">
  <label>Enter a user:</label>
  <default>user1</default>
</input>
<input type="multiselect" token="session_id" searchWhenChanged="true">
  <default>*</default>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>session_id="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR </delimiter>
  <choice value="*">ALL</choice>
  <search>
    <query>sourcetype="f5:bigip:apm:syslog" user=$user$  | stats count by session_id</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <fieldForLabel>session_id</fieldForLabel>
  <fieldForValue>session_id</fieldForValue>
</input>
<input type="time" token="field1">
  <label></label>
  <default>
    <earliest>0</earliest>
    <latest></latest>
  </default>
</input>


<panel>
  <event>
    <search>
      <query>sourcetype="f5:bigip:apm:syslog" user=$user$ session_id=$session_id$</query>
      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
    </search>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="wrap">true</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
    <fields>["host","source","sourcetype"]</fields>
  </event>
</panel>
0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎03-08-2016 06:12 AM

hi,

if your multiselect not populate, it means that the user that you entered in the textbox has no session_id, trying to get others users to see.

precision, there or you wrote session_id = $session_id$, remove and put just $session_id$because prefix session_id= is already defined in multiselect.

for the input text the user, remove <default>user1</default> and put <default>*</default>

try and let me know if it works.

please forgive my english.

if it works, don't forget to vote my previous answers.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...