Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Passing multiselect in Where clause
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've a multiselect.
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
</input>
I want to pass these selected values in a where clause:
]
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ("$grade_name$")
The above query is not working. I can't move the where next to lookup as I'm doing it on the eventstats field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add delimiter in the input and remove double quotes around the token in search query.
...
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<delimiter>,</delimiter>
Search query:
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ($grade_name$)
And if grade_name is part of prod_students.csv, then query will be(which is much faster):
| inputlookup prod_students.csv where grade_name IN ($grade_name$) | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The reason why it is failing is because your token is concatenating the results together and wrapping it in quotes. You need to specify the token value prefix and suffix and delimter in your xml like this:
<input type="multiselect" token="grade_name">
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
</input>
You also need to remove the quotes around the token in your search so it looks like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ($grade_name$)
If you do that your output will look like this in the search with the default:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("9","6","7")
Previously it looked like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("967")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add delimiter in the input and remove double quotes around the token in search query.
...
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<delimiter>,</delimiter>
Search query:
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ($grade_name$)
And if grade_name is part of prod_students.csv, then query will be(which is much faster):
| inputlookup prod_students.csv where grade_name IN ($grade_name$) | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
