Splunk Search

Using Parameter in Search

splunkuser320
Path Finder

I am trying to use parameter into the search using IN condition.  Query is retuning results if I put data directly into the search but my dashboard logic require to use parameter . 

........

| eval tasks = task1,task2,task3
| search NAME IN (tasks)
Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

You can sort of do that.  But why?  This gets more convoluted that your problem warrants.  Your OP says you are doing selector in dashboard logic.  As @bowesmana said, that's precisely what multi-selector token is for.

But if you really need a CSV file to do so, name the column "NAME" instead of NAME_LIST.  Then, split the value.

 

| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

 

It doesn't really do an IN operation but is semantically equivalent.

Here's an emulation

 

| makeresults format=csv data="NAME
task2
task4"
| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

 

Your sample CSV row will give you

NAME
task2

View solution in original post

0 Karma

splunkuser320
Path Finder

I have comma separated list in Lookup table so after reading value from lookup table, can I do following ? 

index=foo
| eval NAME_LIST="task1,task2,task3"
| search NAME IN (NAME_LIST)

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You can sort of do that.  But why?  This gets more convoluted that your problem warrants.  Your OP says you are doing selector in dashboard logic.  As @bowesmana said, that's precisely what multi-selector token is for.

But if you really need a CSV file to do so, name the column "NAME" instead of NAME_LIST.  Then, split the value.

 

| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

 

It doesn't really do an IN operation but is semantically equivalent.

Here's an emulation

 

| makeresults format=csv data="NAME
task2
task4"
| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

 

Your sample CSV row will give you

NAME
task2
0 Karma

splunkuser320
Path Finder

Thanks for your help. Solution is working as expected. 

bowesmana
SplunkTrust
SplunkTrust

This part won't work, as search can't take another field as it's constraint

| eval NAME_LIST="task1,task2,task3"
| search NAME IN (NAME_LIST)

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

How are you reading the values from the lookup table - you didn't say if this was a multiselect dropdown input?

No you cannot do what you suggest here. "parameters" generally mean tokens and multiselect specifically support this type of case.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

If this is dashboard logic, where do your parameters come from, presumably they are tokens from somewhere.

If so, you can just construct the token appropriately so you have

| search $my_token$

where my_token is constructed elsewhere. It is from a multiselect dropdown? If so, just use the settings in the multiselect option to set the token prefix/delimiter values 

 

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Also, if NAME field is available in raw events at search time, you should include the subsearch in index search to improve performance.  Like

index=foo NAME IN (
    [| makeresults 
    |  eval search="tas1,task2,task3"])

If NAME is populated by some calculation from SPL, you need @richgalloway's full solution.  But I believe you will need format command for the meta keyword search to work.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use a subsearch.

 

index=foo
| search NAME IN (
    [| makeresults 
    |  eval search="task1,task2,task3"])

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...