I am trying to use parameter into the search using IN condition. Query is retuning results if I put data directly into the search but my dashboard logic require to use parameter .
........
| eval tasks = task1,task2,task3
| search NAME IN (tasks)
You can sort of do that. But why? This gets more convoluted that your problem warrants. Your OP says you are doing selector in dashboard logic. As @bowesmana said, that's precisely what multi-selector token is for.
But if you really need a CSV file to do so, name the column "NAME" instead of NAME_LIST. Then, split the value.
| search
[inputlookup csv.csv
| eval NAME = split(NAME, ",")]
It doesn't really do an IN operation but is semantically equivalent.
Here's an emulation
| makeresults format=csv data="NAME
task2
task4"
| search
[inputlookup csv.csv
| eval NAME = split(NAME, ",")]
Your sample CSV row will give you
NAME |
task2 |
I have comma separated list in Lookup table so after reading value from lookup table, can I do following ?
index=foo
| eval NAME_LIST="task1,task2,task3"
| search NAME IN (NAME_LIST)
You can sort of do that. But why? This gets more convoluted that your problem warrants. Your OP says you are doing selector in dashboard logic. As @bowesmana said, that's precisely what multi-selector token is for.
But if you really need a CSV file to do so, name the column "NAME" instead of NAME_LIST. Then, split the value.
| search
[inputlookup csv.csv
| eval NAME = split(NAME, ",")]
It doesn't really do an IN operation but is semantically equivalent.
Here's an emulation
| makeresults format=csv data="NAME
task2
task4"
| search
[inputlookup csv.csv
| eval NAME = split(NAME, ",")]
Your sample CSV row will give you
NAME |
task2 |
Thanks for your help. Solution is working as expected.
This part won't work, as search can't take another field as it's constraint
| eval NAME_LIST="task1,task2,task3"
| search NAME IN (NAME_LIST)
How are you reading the values from the lookup table - you didn't say if this was a multiselect dropdown input?
No you cannot do what you suggest here. "parameters" generally mean tokens and multiselect specifically support this type of case.
If this is dashboard logic, where do your parameters come from, presumably they are tokens from somewhere.
If so, you can just construct the token appropriately so you have
| search $my_token$
where my_token is constructed elsewhere. It is from a multiselect dropdown? If so, just use the settings in the multiselect option to set the token prefix/delimiter values
Also, if NAME field is available in raw events at search time, you should include the subsearch in index search to improve performance. Like
index=foo NAME IN (
[| makeresults
| eval search="tas1,task2,task3"])
If NAME is populated by some calculation from SPL, you need @richgalloway's full solution. But I believe you will need format command for the meta keyword search to work.
Use a subsearch.
index=foo
| search NAME IN (
[| makeresults
| eval search="task1,task2,task3"])