Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Passing multiselect in Where clause
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonu4u
New Member
02-13-2020
02:49 AM
I've a multiselect.
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
</input>
I want to pass these selected values in a where clause:
]
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ("$grade_name$")
The above query is not working. I can't move the where next to lookup as I'm doing it on the eventstats field.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-13-2020
06:43 AM
Add delimiter in the input and remove double quotes around the token in search query.
...
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<delimiter>,</delimiter>
Search query:
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ($grade_name$)
And if grade_name is part of prod_students.csv, then query will be(which is much faster):
| inputlookup prod_students.csv where grade_name IN ($grade_name$) | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
02-13-2020
06:50 AM
Hello,
The reason why it is failing is because your token is concatenating the results together and wrapping it in quotes. You need to specify the token value prefix and suffix and delimter in your xml like this:
<input type="multiselect" token="grade_name">
<label>Grade</label>
<default>9,6,7</default>
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<search>
<query/>
</search>
<initialValue>9,6,7</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
</input>
You also need to remove the quotes around the token in your search so it looks like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ($grade_name$)
If you do that your output will look like this in the search with the default:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("9","6","7")
Previously it looked like this:
| inputlookup prod_students.csv
| table school_name, school_id,grade_name
| eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
| where grade_name IN ("967")
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-13-2020
06:43 AM
Add delimiter in the input and remove double quotes around the token in search query.
...
<fieldForLabel>grade_name</fieldForLabel>
<fieldForValue>grade_name</fieldForValue>
<delimiter>,</delimiter>
Search query:
|inputlookup prod_students.csv | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id| where grade_name IN ($grade_name$)
And if grade_name is part of prod_students.csv, then query will be(which is much faster):
| inputlookup prod_students.csv where grade_name IN ($grade_name$) | table school_name, school_id,grade_name |eventstats max(grade_name) as mx min(grade_name) as mn by school_name,school_id
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
