Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to update/edit multiple fields in lookup without making duplicates rows?

hketer
Path Finder
‎06-06-2019 07:54 AM

Hi !
I have this search:

| makeresults
| eval customField="$Soc3$" , soc3dField="$multi$"
| table customField soc3dField
| makemv soc3dField delim=","
| mvexpand soc3dField
| append [
   | inputlookup append=t $Lookup$
   | where soc3dField != "$multi$"] ]

$multi$ - could contain multiple values that I get from multiselect
The table I get is with duplicate rows:

alt text

What I'm trying to do is to take all the values in the $multi$ (contain the soc3dField) ---> update the customField in the lookup
As you can see below, I've tried the same search with no tokens and It worked good!

| makeresults
| eval customField="f43256" , soc3dField="bytesIn,bytesOut"
| table customField soc3dField
| makemv soc3dField delim=","
| mvexpand soc3dField

| append
[| inputlookup append=f Test.csv
   | where soc3dField != "bytesIn" AND soc3dField != "bytesOut"]

alt text

Thank you !!

image-3.png
Preview file
20 KB
capture11.png
Preview file
9 KB
0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-17-2019 03:06 PM

Hi @hketer ,

Did you have a chance to check out any answers? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

niketn
Legend
‎06-06-2019 10:06 AM

@hketer in order to set the tokens from multiselect input you would need to use
1) Either an independent search to set the required tokens using SPL as per requirement.
2) Simple XML JS extension to handle multiselect change and set the required tokens using SplunkJS
PS: Refer to one of my older answer for details on both approach: https://answers.splunk.com/answers/681099/multiselect-option-not-getting-displayed-if-the-op.html

For your use-case following is a run anywhere example with Simple XML dashboard with independent search to set the two required tokens i.e.

1. $tokSoc3Fields$: "bytesIn,bytesOut"
2. $tokSoc3FieldsNotEqual$: soc3dField!="bytesIn" AND soc3dField!="bytesOut"

You can use the above tokens in your final SPL which works for you with static code.
Please try the following run anywhere search

<form>
  <label>Multiselect multiple tokens for search</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="multi" searchWhenChanged="true">
      <label>Multiselect</label>
      <choice value="bytesIn">Bytes In</choice>
      <choice value="bytesOut">Bytes Out</choice>
    </input>
  </fieldset>
  <!-- Independent search to set multiple tokens from Multiselect -->
  <search>
    <query>| makeresults 
| eval multi="$multi$" 
| eval soc3Fields="\"".replace(multi," ",",")."\"" 
| eval soc3FieldsNotEqual="soc3dField!=".replace(soc3Fields,",","\" AND soc3dField!=\"")
    </query>
    <progress>
      <set token="tokSoc3Fields">$result.soc3Fields$</set>
      <set token="tokSoc3FieldsNotEqual">$result.soc3FieldsNotEqual$</set>
    </progress>
  </search>
  <row>
    <panel>
      <html>
        <div><b>tokSoc3Fields:</b> <code>$tokSoc3Fields$</code></div>
        <div><b>tokSoc3FieldsNotEqual:</b> <code>$tokSoc3FieldsNotEqual$</code></div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top