Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing a mutiple values of label in input dropdown

smanojkumar
Contributor
‎12-04-2024 08:11 PM

Hello There,

   I would like to pass mutiple values in label, Where in the current search i can able to pass onlu one values at a time,

<input type="multiselect" token="siteid" searchWhenChanged="true">
<label>Site</label>
<choice value="*">All</choice>
<choice value="03">No Site Selected</choice>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>
| inputlookup site_ids.csv
|search displayname != "ABCN8" AND displayname != "ABER8" AND displayname != "AFRA7" AND displayname != "AMAN2"
</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>_fc7 OR index=</delimiter>
<suffix>_fc7</suffix>
<default>03</default>
<initialValue>03</initialValue>
<change>
<eval token="form.siteid">case(mvcount('form.siteid') == 2 AND mvindex('form.siteid', 0) == "03", mvindex('form.siteid', 1), mvfind('form.siteid', "\\*") == mvcount('form.siteid') - 1, "03", true(), 'form.siteid')</eval>
</change>
<change>
<set token="tokLabel">$label$</set>
</change>
</input>



I need to pass this label value as well, which is a multiselect value.

Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-04-2024 10:38 PM

Please do not repeat the same question.  If needed, you can edit the post to correct or add more information; alternatively, delete one of them.

Your posting does not demonstrate anything about only one value is passed at a time.  How do you know?  Without showing the data, the selections you make, the search you use, and the output, no one can read your mind.  Here is a dashboard I constructed for another question and adapted to demonstrate that multiple values are being passed:

<form version="1.1" theme="light">
  <label>Multivalue input</label>
  <description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/705987</description>
  <fieldset submitButton="false">
    <input type="multiselect" token="multivalue_field_tok" searchWhenChanged="true">
      <label>select all field values</label>
      <choice value="*">All</choice>
      <default>WARN,WARNING</default>
      <delimiter> </delimiter>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <search>
        <query>| makeresults format=csv data="log_level
INFO
WARN
WARNING
ERROR"</query>
      </search>
    </input>
    <input type="multiselect" token="multivalue_term_tok" searchWhenChanged="true">
      <label>select all terms</label>
      <choice value="Installed">Installed</choice>
      <choice value="binary">binary</choice>
      <choice value="INFO">INFO</choice>
      <choice value="WARNING">WARNING</choice>
      <choice value="ERROR">ERROR</choice>
      <choice value="*">All</choice>
      <default>binary,ERROR</default>
      <delimiter> OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$multivalue_field_tok$</title>
      <event>
        <search>
          <query>index = _internal log_level IN ($multivalue_field_tok$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
    <panel>
      <title>$multivalue_term_tok$</title>
      <event>
        <title>no field name</title>
        <search>
          <query>index = _internal ($multivalue_term_tok$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

As you can see, you can select any combination of values.  They are passed faithfully into respective searches.

0 Karma
Reply

smanojkumar
Contributor
‎12-05-2024 08:43 PM

Hello @yuanliu ,
   Thanks for your reply.

   Already the query of input dropdown can pass multiselect values, here I'm having two field values one id for field for label and another one is for field for value. I need to pass field for value to the search, which is working fine in the current search, But i need to pass field for label values to the search, where us its a multi select values.

Please let me know if i missed anything.

Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-05-2024 08:58 PM
  1. "field for label" and "field for value" are not generic terms used in Splunk practice.  May be their meaning is clear in your context or in your organization, but for volunteers here, you need to define them, describe them in plain language without SPL.
  2. You need to give some example search where you are using a token, illustrate what values the token carries (you mentioned something works with a single value but not when more than one value is passed), illustrate what the result is supposed to look like (expected results) - to do this, you may also need to illustrate data given to that search, and illustrate what actual result you get when multiple values are passed to the search.  Additionally, explain the difference between actual result and expected result if that is not painfully obvious.

In short, you need to follow the golden rules of asking an answerable question.  I call them Four Commandments:

  • Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at).
  • Illustrate the desired output from illustrated data.
  • Explain the logic between illustrated data and desired output without SPL.
  • If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
0 Karma
Reply

smanojkumar
Contributor
‎12-08-2024 11:05 PM

Hi @yuanliu ,

   Thanks for your reply.
   Sorry for not briefing it properly.

1. data input is from lookup site_ids.csv is 

displayname                   prefix
abc12                                23456789

qwe14                               78945612

rty12                                 12356789

yuui13                               56897412


Here I need to display displayname field value in input dropdown as a multi select value, also I would like to pass label that is prefix to my search as well.

lets say, If i select displayname fields values as 

abc12                               

qwe14                               

rty12       

I need to see these values in input dropdown and need to pass the below prefix to the search in dashboard panel     

23456789
78945612
12356789 

as ("23456789", "78945612","12356789 "), which needs to be used in IN command                  

Here is the search where i will be using the prefix token in search

index=abc sourcetype=sc*
| fields _time index Eventts FIELD* source IPC
| search IPC IN ($my_token$)
| fields - source



Hope I'm clear now, please let me know if there are anything.

Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-10-2024 11:36 PM

Let me restate what you are trying to do.

  1. Select multiple values of prefix from the lookup.
  2. Perform the search that filters on values of IPC that equals to any of selected prefix.

Is this correct?  Based on your mock SPL, IPC is already extracted at search time.  You don't need a second pipe to search for it.  Let me first give you a mock dashboard using your search.  Then, I will show a demo dashboard using emulations to show how it works.

 

<form version="1.1">
  <label>Multivalue input</label>
  <description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/706304</description>
  <fieldset submitButton="false">
    <input type="multiselect" token="my_token" searchWhenChanged="true">
      <label>select all applicable</label>
      <choice value="*">All</choice>
      <initialValue>*</initialValue>
      <fieldForLabel>displayname</fieldForLabel>
      <fieldForValue>prefix</fieldForValue>
      <search>
        <query>| inputlookup site_ids.csv</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>token value: &gt;$my_token$&lt;</title>
        <search>
          <query>index=abc sourcetype=sc* IPC IN ($my_token$)
| fields _time index Eventts FIELD* IPC</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

This should deliver the functionality you described.  Note I moved your filter into index search.  This is more efficient.  I also do not know why you list source in the first fields command but then remove this field in the last fields command.  So I also removed these.

Anyway, let me demonstrate the functionality with an emulation of these events

FIELD1FIELD2IPC
2stuff23456789
4more stuff78945612
6stuff 212356789
8even more stuff56897412
5and stuff78945612
14and more stuff23456789
9even more12356789

Play with the following dashboard and compare with real data.

 

<form version="1.1">
  <label>Multivalue input</label>
  <description>https://community.splunk.com/t5/Splunk-Search/Passing-a-mutiple-values-of-label-in-input-dropdown/m-p/706304</description>
  <fieldset submitButton="false">
    <input type="multiselect" token="my_token" searchWhenChanged="true">
      <label>select all applicable</label>
      <choice value="*">All</choice>
      <initialValue>*</initialValue>
      <fieldForLabel>displayname</fieldForLabel>
      <fieldForValue>prefix</fieldForValue>
      <search>
        <query>| makeresults format=csv data="displayname,prefix
abc12,23456789
qwe14,78945612
rty12,12356789
yuui13,56897412"
``` the above emulates
| inputlookup site_ids.csv
```</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>token value: &gt;$my_token$&lt;</title>
        <search>
          <query>| makeresults
| eval _raw="IPC, FIELD1, FIELD2
23456789, 2, stuff
78945612, 4, more stuff
12356789, 6, stuff 2
56897412, 8, even more stuff
78945612, 5, and stuff
23456789, 14, and more stuff
12356789, 9, even more"
| multikv
| search IPC IN ($my_token$)
``` the above emulates
index=abc sourcetype=sc* IPC IN ($my_token$)```
| fields _time index Eventts FIELD* IPC</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

If I select abc12 and yyui13, I get

_timeindexEventsFIELD1FIELD2IPC
2024-12-10 23:32:17  2stuff23456789
2024-12-10 23:32:17  8even more stuff56897412
2024-12-10 23:32:17  14and more stuff23456789
This fits exactly what you describe.  In other words, I do not see any unexpected results when selecting multiple values.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...