Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing multiselect token to the macros

smanojkumar
Contributor
‎10-13-2023 12:50 AM

Hi Splunkers,
   I'm having the multiselect value that results need pass to a macros,
   Can you please help for that?

   The need is to pass the multiselect values to token $macros2$, where multiselect values is an macros itself,

multi select values
1. value 1

2.  value 2

3. value 3

4. All

 

search:

`macros1(`$macros2$`,  now(), -15d@d, *, virus, *, *, *)`

Thanks in Advance!

Manoj Kumar S

0 Karma
Reply

smanojkumar
Contributor
‎10-15-2023 11:13 PM

Hi @yuanliu ,

   Sorry for the mistake!

   `macros1(`$macros2$`,  now(), -15d@d, *, virus, *, *, *)`

The values to be passed in macros2 is multiselect, I get error if i passed two values at a time, because each values passed is an individual macros which has different search in it. I need OR condition to be performed on that case.

Thanks in Advance!

Manoj Kumar S
   

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-16-2023 04:47 PM

First, you need to be very precise if you are to cite code snippet, even for pseudo code.  `macros1(`$macros2$`,  now(), -15d@d, *, virus, *, *, *)` is simply incorrect because Splunk will give you an error about macro macro1( not defined or no permission, or a similar error.  When you open a macro invocation with a back tick, Splunk expects you to close it with the closest back tick.  In your sample, Splunk will be looking for two macros, one named macros1(, the other named ,  now(), -15d@d, *, virus, *, *, *).  I am certain that none of them exist.

Second, do not name your token so similarly to the macro name so you don't confuse yourself during diagnosis.  If this is pseudo code, do not name mock token so close to mock macro name, so you don't confuse volunteers here who are trying to help diagnose.

Third, if a parameter is causing error in an macro, you need to explain how this parameter is being used inside that macro as well as how macro is invoked in actual search, so volunteers here do not waste their time reading your mind.

I need OR condition to be performed on that case.   

Suppose your input has delimiter OR, and you first select stringA, then select stringB. Nothing else is defined.  Your token would contain stringA OR stringB, as a bare string.  Suppose your macro1(1) is

search $mytok$

mytok being the token name you set in the macro (again, do not name it very close to the macro's own name), and if the search that invokes the macro is

| `macro1($multiselect_tok$)`

 $multiselect_tok$ being the name of the token in the multiselect input. (You can name it semantically, but never too close to the macro's own name.)  There will be no problem with the search.  It will behave as if you entered

| search stringA OR stringB

Without relevant information about the macro and about the search that uses the macro, your question is unanswerable.

Reply

smanojkumar
Contributor
‎10-17-2023 04:58 AM

Hi @yuanliu 

   I just renamed some fields, here is the exact one, I had modified few things based your reply.

<input type="checkbox" token="index_scope" searchWhenChanged="true">
<label>Choose console</label>
<choice value="1T*">Standard</choice>
<choice value="2A*">Scada</choice>
<choice value="2S*">AWS</choice>
<default>1T*</default>
<initialValue>1T*</initialValue>
</input>|


Here is the search

`compliance($index_scope$, now(), $timerange$, $scope$, $origin$, $country$, $cacp$)`

 

It's not working as expected in multiselect, earlier for dropdown its working good.

Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-17-2023 10:08 AM

You didn't show how $index_scope$ is used inside the macro.  Using hints from the sample values, that dropdown based on these values used to work as desired, and from semantic heuristics, as well as your choice of token name, I can only speculate that inside you macro `compliance(7)`, you use the first input in a search command, i.e., (I'll call the first input $input1$ - which correspond to $mytok$ in my previous illustration), the macro has a command like

index=$input1$

The following will be based on this speculation.  If this is too far from the real macro code, the analysis will not apply although I will try to be as general as can be meaningfully presented. (As you can see, I wouldn't have to make wild guesses which may well be incorrect had you provided relative information.)

The second part of the analysis will focus on input options that you can set when setting a multiselect inputs as I exemplified earlier.

token-options.png

In your sample code, none of these is set.  In that case, Splunk will use a space as default delimiter, and give no prefix and no suffix.  I have not found the tutorial about input, but definitive information is in input (form).  To help you understand how these choices affect resultant token, I drafted this test dashboard for you to play with:

<form version="1.1">
  <label>Checkbox test</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="index_scope" searchWhenChanged="true">
      <label>Choose console</label>
      <choice value="1T*">Standard</choice>
      <choice value="2A*">Scada</choice>
      <choice value="2S*">AWS</choice>
      <default>1T*</default>
      <initialValue>1T*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval index_scope = "$index_scope$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

The third part of analysis is straightforward with search command.  Understandably, if you select "Standard" from a dropdown, or if only Standard is checked, your macro will get the command

search index=1T*

(The search command is implied if it is on the first line.  Otherwise you must write it explicitly.)  Now, if you select "Standard" and "Scada", the macro will get

search index=1T* 2A*

I suspect that you are expecting something like index=1T* OR index=2A* instead.  Is this correct?  One way to do this, obviously, is to set Delimiter to " OR ", and value prefix to "index=".  Note the space before and after keyword "OR" is important.

<form version="1.1" theme="light">
  <label>Checkbox test</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="index_scope" searchWhenChanged="true">
      <label>Choose console</label>
      <choice value="1T*">Standard</choice>
      <choice value="2A*">Scada</choice>
      <choice value="2S*">AWS</choice>
      <default>1T*</default>
      <initialValue>1T*</initialValue>
      <delimiter> OR </delimiter>
      <valuePrefix>index=</valuePrefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval index_scope = "$index_scope$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

Reply

fredclown
Builder
‎10-17-2023 10:56 AM

Another option would  be to set the delimiter to a comma in the multiselect then in the macro use the IN keyword like this ...

index IN ($index_scope$) ... #The rest of the macro# ....
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-13-2023 02:00 PM

You need to clarify the problem.

   The need to pass the multiselect values to macros2

Forget multiselect values.  What is this macros2?  If this is yet another macro, SPL syntax forbids you from invoking a macro as parameter of another macro.  Do you mean macros2 represents the value from this multiselect token?  In that case, you cannot use single quote. (The outer quote in your pseudo code is also incorrect.  A macro is invoked by a pair of back ticks (`, not ').

It really doesn't matter whether the token is multiselect or of any other type.  The dashboard simply treat the resultant value as a string.  How the string is formatted depends on the INPUT settings, what is the delimiter, whether prefix and postfix are used, whether value prefix and value postfix are used, etc.  In this regard, I don't see any question that can be answered based on your description.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...