Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Passing multiselect in Where clause
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've a multiselect.
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
</input>
I want to pass these selected values in a where clause:
]
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ("$grade_name$")
The above query is not working. I can't move the where next to lookup as I'm doing it on the eventstats field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add delimiter in the input and remove double quotes around the token in search query.
...
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<delimiter>,</delimiter>
Search query:
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ($grade_name$)
And if grade_name is part of prod_students.csv, then query will be(which is much faster):
| inputlookup prod_students.csv where grade_name IN ($grade_name$) | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The reason why it is failing is because your token is concatenating the results together and wrapping it in quotes. You need to specify the token value prefix and suffix and delimter in your xml like this:
<input type="multiselect" token="grade_name">
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
</input>
You also need to remove the quotes around the token in your search so it looks like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ($grade_name$)
If you do that your output will look like this in the search with the default:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("9","6","7")
Previously it looked like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("967")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add delimiter in the input and remove double quotes around the token in search query.
...
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<delimiter>,</delimiter>
Search query:
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ($grade_name$)
And if grade_name is part of prod_students.csv, then query will be(which is much faster):
| inputlookup prod_students.csv where grade_name IN ($grade_name$) | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
