Splunk Search

Multiselect dropdown with wildcards

DATT
Path Finder

I have a field that I need to search on that is a long string of comma-separated values.  It comes from our vulnerability scanner tool, Qualys, and looks something like this:

"OS: Windows 10 22H2, Port: 53, AV: Installed, SW: Maya, SVC: SiegeTower"

I have a multiselect dropdown on the dashboard with each unique tag that I want my users to be able to select any/all tags that matter to them.  Application owners may only be concerned about viewing data related to their particular service on a particular operating system (user selects "OS: Windows 10 22H2" and "SVC: SiegeTower" for example).

The problem I'm running into is when users select multiple tags, the search looks like this:

<base search>
| search TAGS IN ("OS: Windows 10 22H2","SVC: SiegeTower")
| ...

which returns zero results. What I really need is:

<base search>
| search TAGS IN ("*OS: Windows 10 22H2*","*SVC: SiegeTower*")
| ...

Which has wildcard characters on each search selection and does return the correct results.

Is there any way to add wildcards to the multiselect dropdown selections to get the right results?  The only other option I tried a combination of split and mvexpand on the TAGS field to perform the search but between thousands of endpoints and dozens of tags, I ran into memory issues that I won't be able to overcome any time soon.

Any help here is appreciated!

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'd go the other way around - either extract the values into separate fields or use tokenizer to split the field into multiple values. Searching for wildcards at the beginning of the search term is very ineffective.

0 Karma

DATT
Path Finder

Turns out the solution was simpler than I thought.

The multiselect is populated from a query.  Within that query I just created another field that took the tags and added wildcard characters to the front and back.  

<base search>
| eval TAGS = split(TAGS, ",")
| mvexpand TAGS
| dedup TAGS
| table TAGS
| eval TAGS_WILDCARD = "*" + TAGS + "*"
| sort TAGS

With this, I mapped TAGS to the dynamic menu label field, and TAGS_WILDCARD to the dynamic menu value field.  I was then able to use the token filter "|s" to wrap each value in quotes.

Ultimately, I ended up with this

<base search> 
| search TAGS IN ($includeTag|s$) AND TAGS NOT ($excludeTag|s$)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @DATT 

How about this? 

livehybrid_0-1743005771070.png

 

<form version="1.1">
  <label>ClassicTest</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="multiselect" token="tags" searchWhenChanged="true">
      <label>Tags</label>
      <choice value="OS: MacOS">OS: MacOS</choice>
      <choice value="OS: Windows 10">OS: Windows 10</choice>
      <choice value="OS: Windows 11">OS: Windows 11</choice>
      <prefix>tags = </prefix>
      <valuePrefix>"*</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR tags=</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title></title>
      <table>
        <title>Output</title>
        <search>
          <query>|makeresults | eval msg="Event 1", tags="Junk1,OS: Windows 11,something1"
| append [|makeresults | eval msg="Event 2", tags="Junk2,OS: Windows 10,something2"]
| append [|makeresults | eval msg="Event 3", tags="Junk3,OS: MacOS 15.4,something1"]
| search $tags$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

This uses a selection of tags="*<something>*" OR .. instead of trying to use IN.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma

DATT
Path Finder

This looks like a classic dashboard?   I didn't think to mention we're using Dashboard Studio.  Is prefix/suffix available in Dashboard Studio?

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Ah yes okay, that is Classic only, sorry I didnt realise you were wanting Dashboard Studio!

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...