Splunk Search

How to set token value based on selection from multiselect input?

dhirendra761
Contributor

Hi @Splunkers,

I created panel which give output based on  multiselected fields, both are having different sources/index.

issue is:

Multiselect value has "A", "B", "C" and "All" values only. Panel is working for correctly based on selection.

When I selected "A+B+C" then it should be match with "ALL" selection. but ALL contains "A","B","C",......"Y","Z" values, because I put ALL="*" in input setting.

How can set token value filter the value for "ALL"?? which collect only "A" OR "B" OR "C" not "*"

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Can you explain what is the purpose of token4, why you need it in the first place?  Based on your match logic, there should a million ways to do whatever you need to do using just token3 (with help from token1 and token2 if they are real user selections).  Can you give an example in which $token4$ is used that cannot be accomplished without?

To set token3 with dynamic values is quite easy.  Here is a test dashboard to test this idea

<form version="1.1">
  <label>test multiselection</label>
  <fieldset submitButton="false">
     <!-- other inputs -->
     <input type="multiselect" token="token3" searchWhenChanged="false">
      <label>Name</label>
      <delimiter>,</delimiter>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| from datamodel:"aa"
| search Unit="$token1$" noteName="$token2$"|stats count by name
| eval value=name
| append
  [| from datamodel:"aa"
   | search Unit="$token1$" noteName="$token2$"
   | stats values(name) as value
   | eval name = "All"]
        </query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <prefix></prefix>
      <suffix></suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>show token3</title>
      <table>
        <search>
          <query>| makeresults
| eval token3 = "$token3$"
| fields - _time</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

With this, no matter how many distinct names you have, selector "All" will include them all.

View solution in original post

0 Karma

dhirendra761
Contributor

Hi @yuanliu ,

Thank you for being with me for technical support and solutions.

I changed my approach to solve this issue by filtering using join before data came in to multiselect field.

It resolved my issue.

😁👍

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You can change your search term from equality to member of, i.e., from field=$mytoken$ to field IN $mytoken$.  In multi selection input, use "(" and prefix, ")" as postfix, and "," as delimiter.

0 Karma

dhirendra761
Contributor

Hi @yuanliu ,

Thank you for feedback for more clarity i used below code in my dashboard.

<input type="multiselect" token="token3" searchWhenChanged="false">
        <label>Name</label>
        <valuePrefix>abc=</valuePrefix>
        <delimiter> OR </delimiter>
        <fieldForLabel>name</fieldForLabel>
        <fieldForValue>name</fieldForValue>
        <search>
          <query>| from datamodel:"aa"
| search Unit="$token1$" noteName="$token2$"|stats values(name) as name
| mvexpand name</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <choice value="*">ALL</choice>
        <change>
          <condition>
            <set token="tokSPL">TRUE</set>
            <unset token="form.token4"></unset>
          </condition>
          <condition  match="'value'==&quot;*&quot;">
            <set token="tokSPL">All values</set>
            <set token="form.token4">*</set>
          </condition>
        </change>
      </input>

It's working fine expect ALL selection.

Now I am trying to set new token4 based on selection. But its not working!!....

Let me know if I am going in right direction. or Any change required.

Thanks in advance.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Without knowing how $token3$, $tokSPL$,  and $token4$ are being used in the dashboard, it is hard to decipher what the snippet is meant to be.  So, here I illustrate an example where token3 can be set to any of

  • any singular value, or combination of values from |stats count by name, (more efficient than group names into multivalue then mvexpand)
  • the fixed set ("A", "B", "C") assuming that what you wanted is a static enumeration.

But you cannot use $token3$ in equality comparison.  Any search involving $token3$ in the dashboard must be in the form of

fieldname IN ($token3$)

 

    <input type="multiselect" token="token3" searchWhenChanged="false">
      <label>Name</label>
      <delimiter>,</delimiter>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
        <query>| from datamodel:"aa"
| search Unit="$token1$" noteName="$token2$"|stats values(name) as name
| mvexpand name</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="&quot;A&quot;,&quot;B&quot;,&quot;C&quot;">ALL</choice>
      <change>
        <condition>
          <set token="tokSPL">TRUE</set>
          <unset token="form.token4"></unset>
        </condition>
        <condition match="'value' = &quot;\&quot;A\&quot;,\&quot;B\&quot;,\&quot;C\&quot;&quot;">
          <set token="tokSPL">All values</set>
          <set token="form.token4">*</set>
        </condition>
      </change>
      <prefix></prefix>
      <suffix></suffix>
    </input>

 Hope this helps

0 Karma

dhirendra761
Contributor

Hi Again @yuanliu ,

Thanks. selection values are dynamic based on token1, roken2.

I can not set as static including OR.  it can be more than 5 values or1 value depending upon the token2.

is it possible to set token when its value "*". can we evaluate search again and set it to token when someone select ALL??

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Can you explain what is the purpose of token4, why you need it in the first place?  Based on your match logic, there should a million ways to do whatever you need to do using just token3 (with help from token1 and token2 if they are real user selections).  Can you give an example in which $token4$ is used that cannot be accomplished without?

To set token3 with dynamic values is quite easy.  Here is a test dashboard to test this idea

<form version="1.1">
  <label>test multiselection</label>
  <fieldset submitButton="false">
     <!-- other inputs -->
     <input type="multiselect" token="token3" searchWhenChanged="false">
      <label>Name</label>
      <delimiter>,</delimiter>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| from datamodel:"aa"
| search Unit="$token1$" noteName="$token2$"|stats count by name
| eval value=name
| append
  [| from datamodel:"aa"
   | search Unit="$token1$" noteName="$token2$"
   | stats values(name) as value
   | eval name = "All"]
        </query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <prefix></prefix>
      <suffix></suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>show token3</title>
      <table>
        <search>
          <query>| makeresults
| eval token3 = "$token3$"
| fields - _time</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

With this, no matter how many distinct names you have, selector "All" will include them all.

0 Karma

dhirendra761
Contributor

Hi @yuanliu ,

Thank you so much let me check your solution if it resolved any way.

Otherwise i will try to explain token4 and issue.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...