Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiselect dropdown with wildcards

DATT
Path Finder
‎03-26-2025 09:05 AM

I have a field that I need to search on that is a long string of comma-separated values.  It comes from our vulnerability scanner tool, Qualys, and looks something like this:

"OS: Windows 10 22H2, Port: 53, AV: Installed, SW: Maya, SVC: SiegeTower"

I have a multiselect dropdown on the dashboard with each unique tag that I want my users to be able to select any/all tags that matter to them.  Application owners may only be concerned about viewing data related to their particular service on a particular operating system (user selects "OS: Windows 10 22H2" and "SVC: SiegeTower" for example).

The problem I'm running into is when users select multiple tags, the search looks like this:

<base search>
| search TAGS IN ("OS: Windows 10 22H2","SVC: SiegeTower")
| ...

which returns zero results. What I really need is:

<base search>
| search TAGS IN ("*OS: Windows 10 22H2*","*SVC: SiegeTower*")
| ...

Which has wildcard characters on each search selection and does return the correct results.

Is there any way to add wildcards to the multiselect dropdown selections to get the right results?  The only other option I tried a combination of split and mvexpand on the TAGS field to perform the search but between thousands of endpoints and dozens of tags, I ran into memory issues that I won't be able to overcome any time soon.

Any help here is appreciated!

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2025 02:10 PM

I'd go the other way around - either extract the values into separate fields or use tokenizer to split the field into multiple values. Searching for wildcards at the beginning of the search term is very ineffective.

0 Karma
Reply

DATT
Path Finder
‎03-26-2025 12:50 PM

Turns out the solution was simpler than I thought.

The multiselect is populated from a query.  Within that query I just created another field that took the tags and added wildcard characters to the front and back.  

<base search>
| eval TAGS = split(TAGS, ",")
| mvexpand TAGS
| dedup TAGS
| table TAGS
| eval TAGS_WILDCARD = "*" + TAGS + "*"
| sort TAGS

With this, I mapped TAGS to the dynamic menu label field, and TAGS_WILDCARD to the dynamic menu value field.  I was then able to use the token filter "|s" to wrap each value in quotes.

Ultimately, I ended up with this

<base search> 
| search TAGS IN ($includeTag|s$) AND TAGS NOT ($excludeTag|s$)
0 Karma
Reply

livehybrid
Super Champion
‎03-26-2025 09:16 AM

Hi @DATT 

How about this? 

livehybrid_0-1743005771070.png

 

<form version="1.1">
  <label>ClassicTest</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="multiselect" token="tags" searchWhenChanged="true">
      <label>Tags</label>
      <choice value="OS: MacOS">OS: MacOS</choice>
      <choice value="OS: Windows 10">OS: Windows 10</choice>
      <choice value="OS: Windows 11">OS: Windows 11</choice>
      <prefix>tags = </prefix>
      <valuePrefix>"*</valuePrefix>
      <valueSuffix>*"</valueSuffix>
      <delimiter> OR tags=</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title></title>
      <table>
        <title>Output</title>
        <search>
          <query>|makeresults | eval msg="Event 1", tags="Junk1,OS: Windows 11,something1"
| append [|makeresults | eval msg="Event 2", tags="Junk2,OS: Windows 10,something2"]
| append [|makeresults | eval msg="Event 3", tags="Junk3,OS: MacOS 15.4,something1"]
| search $tags$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

This uses a selection of tags="*<something>*" OR .. instead of trying to use IN.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

DATT
Path Finder
‎03-26-2025 09:46 AM

This looks like a classic dashboard?   I didn't think to mention we're using Dashboard Studio.  Is prefix/suffix available in Dashboard Studio?

0 Karma
Reply

livehybrid
Super Champion
‎03-26-2025 03:19 PM

Ah yes okay, that is Classic only, sorry I didnt realise you were wanting Dashboard Studio!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
Top