Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing Multiselect macro input token to search

smanojkumar
Contributor
‎11-02-2023 04:29 AM

Hi Splunkers!
  I would like to pass two macros as a token to a base search when multiple values in multiselect is selected,

<done>
<condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot; AND $index$ == &quot;2S*&quot;">
<set token="standard">true</set>
<set token="scada">true</set>
<set token="aws">true</set>
<set token="index_label">Standard, Scada, AWS</set>
<set token="index_scope">`scada` OR `aws` OR `standard($cmdb_scope$)`</set>
</condition>
<condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot;">
<set token="standard">true</set>
<unset token="aws"></unset>
<set token="scada">true</set>
<set token="index_label"> Standard,  Scada</set>
<set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set>
</condition>
<condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">
<unset token="standard"></unset>
<set token="scada">true</set>
<set token="aws">true</set>
<set token="index_label"> Scada,  AWS</set>
<set token="index_scope">`scada` OR `aws`</set>
</condition>
<condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;">
<set token="standard">true</set>
<unset token="scada"></unset>
<set token="aws">true</set>
<set token="index_label"> AWS,  Standard</set>
<set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set>
</condition>
<condition match="$index$ == &quot;2A*&quot;">
<unset token="standard"></unset>
<set token="scada">true</set>
<unset token="aws"></unset>
<set token="index_label"> Scada</set>
<set token="index_scope">`scada`</set>
</condition>
<condition match="$index$ == &quot;2S*&quot;">
<unset token="standard"></unset>
<unset token="scada"></unset>
<set token="aws">true</set>
<set token="index_label"> AWS</set>
<set token="index_scope">`aws`</set>
</condition>
<condition match="$index$ == &quot;1T*&quot;">
<set token="standard">true</set>
<unset token="scada"></unset>
<unset token="aws"></unset>
<set token="index_label"> Standard</set>
<set token="index_scope"> `standard($cmdb_scope$)`</set>
</condition>

    <input type="checkbox" token="index" searchWhenChanged="true">

      <label>Choose  console</label>

      <choice value="1T*"> Standard</choice>

      <choice value="2A*"> Scada</choice>

      <choice value="2S*"> AWS</choice>

      <default>1T*, 2A*,2S* </default>

      <initialValue>1T*, 2A*,2S* </initialValue>

      <change>

        <set token="index_label">$label$</set>

      </change>

      <change>

        <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">

          <set token="standard">true</set>

          <set token="scada">true</set>

          <set token="aws">true</set>

          <set token="index_scope">`scada` OR `standard($cmdb_scope$)` OR `aws`</set>

        </condition>

        <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot;">

          <set token="standard">true</set>

          <set token="scada">true</set>

          <unset token="aws"></unset>

          <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set>

        </condition>

        <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">

          <unset token="standard"></unset>

          <set token="scada">true</set>

          <set token="aws">true</set>

          <set token="index_scope">`scada` OR `aws`</set>

        </condition>

        <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;">

          <set token="standard">true</set>

          <unset token="scada"></unset>

          <set token="aws">true</set>

          <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set>

        </condition>

        <condition match="$index$ == &quot;2A*&quot;">

          <unset token="standard"></unset>

          <set token="scada">true</set>

          <unset token="aws"></unset>

          <set token="index_scope">`scada`</set>

        </condition>

        <condition match="$index$ == &quot;2S*&quot;">

          <unset token="standard"></unset>

          <unset token="scada"></unset>

          <set token="aws">true</set>

          <set token="index_scope">`aws`</set>

        </condition>

        <condition match="$index$ == &quot;1T*&quot;">

          <set token="standard">true</set>

          <unset token="scada"></unset>

          <unset token="aws"></unset>

          <set token="index_scope">`standard($cmdb_scope$)`</set>

        </condition>

       but this is not working, Only one value is  passed when selecting two values.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...