Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

match field agains comma seperated list

d1rtym0nk3y
Explorer
‎05-08-2014 09:06 AM

I've got a table on a dashboard that passes a list of values to a detail page when you drilldown, the list is the value of a multi-value field generated by a transaction

for example. detail_view?form.id_list=123,456,789

in the detail view, i want to get all the events with a matching id, seems like this should be really simple but i can't figure out how to match a field with a single value against a dynamic list of values.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-08-2014 10:00 AM

In details page, try something like this

your base search [|stats count | eval YourIdFieldName="$id_list$" | table YourIdFieldName | mvexpand YourIdFieldName | format] | ...rest of the query

Update:

If you are searching (in index=cdr ) field named cdrid (means index=cdr and cdrid=3402896d73b6040a1e10bb573d3feff7 gives you result) then try this:

your base search [|stats count | eval YourIdFieldName="$id_list$"  | makemv delim="," cdrid | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip

If you just want to search literal value of id 3402896d73b6040a1e10bb573d3feff7 ( means index=cdr "3402896d73b6040a1e10bb573d3feff7" gives you result) then try this

your base search [|stats count | eval search="$id_list$"  | makemv delim="," search| table search| mvexpand search| format] | table ic_ip og_ip

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-08-2014 10:00 AM

In details page, try something like this

your base search [|stats count | eval YourIdFieldName="$id_list$" | table YourIdFieldName | mvexpand YourIdFieldName | format] | ...rest of the query

Update:

If you are searching (in index=cdr ) field named cdrid (means index=cdr and cdrid=3402896d73b6040a1e10bb573d3feff7 gives you result) then try this:

your base search [|stats count | eval YourIdFieldName="$id_list$"  | makemv delim="," cdrid | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip

If you just want to search literal value of id 3402896d73b6040a1e10bb573d3feff7 ( means index=cdr "3402896d73b6040a1e10bb573d3feff7" gives you result) then try this

your base search [|stats count | eval search="$id_list$"  | makemv delim="," search| table search| mvexpand search| format] | table ic_ip og_ip
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-08-2014 02:27 PM

I missed one part my answer earlier. Try updated answer.

0 Karma
Reply
Solved! Jump to solution

d1rtym0nk3y
Explorer
‎05-08-2014 02:17 PM

This doesn't seem to work for me, probably because i don't understand whats happening here. If I open the dashboard in search heres the search command that the view is executing

index=cdr  [|stats count | eval cdrid="3402896d73b6040a1e10bb573d3feff7,6d0b5ef195848800f398d19860f0138e,b2a7e24d81515701bc9f9a111f545793" | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip

if i search the id's individually they exist. Have I got something wrong here ?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...