Splunk Search

How to search on each entry in a text box input where entries are comma-delimited?

splunk_vb
Explorer

I have users entering usernames separated by commas into a text box input. I want to run a search on this input that finds any events that have any of the usernames (this is for a base search). So if the user enters username1,username2,username3, I want the search

 | search user=username1 OR user=username2 OR user=username3
to run. I tried using a multivalue field:

<pre>| eval user2 = $text_box_input$
| makemv delim="," user2
| mvcombine user2 delim="OR user="
| nomv user2
| search user=user2
</pre>

But it wasn't working for me. Any help would be appreciated!

0 Karma
1 Solution

niketn
Legend

@splunk_vb, if you are on Splunk 6.6 or later, this should be fairly easy with the IN operator for multiple value comparison. For previous versions of Splunk you may have to run an independent search to set multiple OR conditions similar to the one mentioned in your question. (PS: Search event handler <done> is used in version 6.5 or higher, which was <finalized> in version 6.4 or before.)

Please try the following run anywhere dashboard example based on Splunk's _internal index which has log_level values as INFO, WARN and ERROR for testing and showcasing both the scenarios:

alt text

Following is the Simple XML Code for screenshot attached:

<form>
  <label>Text Box Multiple Value Filter</label>
  <!-- Independent search to prepare filter data for Option 2-->
  <search>
    <query>| makeresults
| fields - _time
| eval filterData=$tokLogLevelOption2|s$
| eval filterData=replace(filterData,",","\" OR log_level=\"")</query>
    <done>
      <set token="tokLogLevelOption2Filter">$result.filterData$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Option 1: Splunk 6.6 or higher with IN clause</title>
      <input type="text" token="tokLogLevelOption1" searchWhenChanged="true">
        <label>Log Level Filters ( INFO, ERROR and WARN)</label>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ($tokLogLevelOption1$)
| stats count by log_level</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2: Splunk 6.5 or prior with OR clause</title>
      <input type="text" token="tokLogLevelOption2" searchWhenChanged="true">
        <label>Log Level Filters ( INFO, ERROR and WARN)</label>
        <prefix>log_level="</prefix>
        <suffix>"</suffix>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd $tokLogLevelOption2Filter$
| stats count by log_level</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@splunk_vb, if you are on Splunk 6.6 or later, this should be fairly easy with the IN operator for multiple value comparison. For previous versions of Splunk you may have to run an independent search to set multiple OR conditions similar to the one mentioned in your question. (PS: Search event handler <done> is used in version 6.5 or higher, which was <finalized> in version 6.4 or before.)

Please try the following run anywhere dashboard example based on Splunk's _internal index which has log_level values as INFO, WARN and ERROR for testing and showcasing both the scenarios:

alt text

Following is the Simple XML Code for screenshot attached:

<form>
  <label>Text Box Multiple Value Filter</label>
  <!-- Independent search to prepare filter data for Option 2-->
  <search>
    <query>| makeresults
| fields - _time
| eval filterData=$tokLogLevelOption2|s$
| eval filterData=replace(filterData,",","\" OR log_level=\"")</query>
    <done>
      <set token="tokLogLevelOption2Filter">$result.filterData$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Option 1: Splunk 6.6 or higher with IN clause</title>
      <input type="text" token="tokLogLevelOption1" searchWhenChanged="true">
        <label>Log Level Filters ( INFO, ERROR and WARN)</label>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ($tokLogLevelOption1$)
| stats count by log_level</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2: Splunk 6.5 or prior with OR clause</title>
      <input type="text" token="tokLogLevelOption2" searchWhenChanged="true">
        <label>Log Level Filters ( INFO, ERROR and WARN)</label>
        <prefix>log_level="</prefix>
        <suffix>"</suffix>
      </input>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd $tokLogLevelOption2Filter$
| stats count by log_level</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

splunk_vb
Explorer

"IN" was exactly what I was looking for! Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...