Solved: Using Parameter in Search

splunkuser320 · ‎02-29-2024

I am trying to use parameter into the search using IN condition. Query is retuning results if I put data directly into the search but my dashboard logic require to use parameter .

........

| eval tasks = task1,task2,task3
| search NAME IN (tasks)

yuanliu · ‎03-12-2024

You can sort of do that. But why? This gets more convoluted that your problem warrants. Your OP says you are doing selector in dashboard logic. As @bowesmana said, that's precisely what multi-selector token is for.

But if you really need a CSV file to do so, name the column "NAME" instead of NAME_LIST. Then, split the value.

| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

It doesn't really do an IN operation but is semantically equivalent.

Here's an emulation

| makeresults format=csv data="NAME
task2
task4"
| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

Your sample CSV row will give you

NAME

task2

View solution in original post

splunkuser320 · ‎03-12-2024

I have comma separated list in Lookup table so after reading value from lookup table, can I do following ?

index=foo
| eval NAME_LIST="task1,task2,task3"
| search NAME IN (NAME_LIST)

yuanliu · ‎03-12-2024

You can sort of do that. But why? This gets more convoluted that your problem warrants. Your OP says you are doing selector in dashboard logic. As @bowesmana said, that's precisely what multi-selector token is for.

But if you really need a CSV file to do so, name the column "NAME" instead of NAME_LIST. Then, split the value.

| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

It doesn't really do an IN operation but is semantically equivalent.

Here's an emulation

| makeresults format=csv data="NAME
task2
task4"
| search
    [inputlookup csv.csv
    | eval NAME = split(NAME, ",")]

Your sample CSV row will give you

NAME

task2

splunkuser320 · ‎03-13-2024

Thanks for your help. Solution is working as expected.

bowesmana · ‎03-12-2024

This part won't work, as search can't take another field as it's constraint

| eval NAME_LIST="task1,task2,task3"
| search NAME IN (NAME_LIST)

bowesmana · ‎03-12-2024

How are you reading the values from the lookup table - you didn't say if this was a multiselect dropdown input?

No you cannot do what you suggest here. "parameters" generally mean tokens and multiselect specifically support this type of case.

bowesmana · ‎03-03-2024

If this is dashboard logic, where do your parameters come from, presumably they are tokens from somewhere.

If so, you can just construct the token appropriately so you have

| search $my_token$

where my_token is constructed elsewhere. It is from a multiselect dropdown? If so, just use the settings in the multiselect option to set the token prefix/delimiter values

yuanliu · ‎03-01-2024

Also, if NAME field is available in raw events at search time, you should include the subsearch in index search to improve performance. Like

index=foo NAME IN (
    [| makeresults 
    |  eval search="tas1,task2,task3"])

If NAME is populated by some calculation from SPL, you need @richgalloway's full solution. But I believe you will need format command for the meta keyword search to work.

richgalloway · ‎02-29-2024

Use a subsearch.

index=foo
| search NAME IN (
    [| makeresults 
    |  eval search="task1,task2,task3"])

---
If this reply helps you, Karma would be appreciated.

Using Parameter in Search

fields

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio