I've got a table on a dashboard that passes a list of values to a detail page when you drilldown, the list is the value of a multi-value field generated by a transaction
for example. detailview?form.idlist=123,456,789
in the detail view, i want to get all the events with a matching id, seems like this should be really simple but i can't figure out how to match a field with a single value against a dynamic list of values.
In details page, try something like this
your base search [|stats count | eval YourIdFieldName="$id_list$" | table YourIdFieldName | mvexpand YourIdFieldName | format] | ...rest of the query
If you are searching (in
index=cdr ) field named cdrid (means
index=cdr and cdrid=3402896d73b6040a1e10bb573d3feff7 gives you result) then try this:
your base search [|stats count | eval YourIdFieldName="$id_list$" | makemv delim="," cdrid | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip
If you just want to search literal value of id
3402896d73b6040a1e10bb573d3feff7 ( means
index=cdr "3402896d73b6040a1e10bb573d3feff7" gives you result) then try this
your base search [|stats count | eval search="$id_list$" | makemv delim="," search| table search| mvexpand search| format] | table ic_ip og_ip
This doesn't seem to work for me, probably because i don't understand whats happening here. If I open the dashboard in search heres the search command that the view is executing
index=cdr [|stats count | eval cdrid="3402896d73b6040a1e10bb573d3feff7,6d0b5ef195848800f398d19860f0138e,b2a7e24d81515701bc9f9a111f545793" | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip
if i search the id's individually they exist. Have I got something wrong here ?