Splunk Search
Highlighted

match field agains comma seperated list

Explorer

I've got a table on a dashboard that passes a list of values to a detail page when you drilldown, the list is the value of a multi-value field generated by a transaction

for example. detailview?form.idlist=123,456,789

in the detail view, i want to get all the events with a matching id, seems like this should be really simple but i can't figure out how to match a field with a single value against a dynamic list of values.

Tags (3)
0 Karma
Highlighted

Re: match field agains comma seperated list

SplunkTrust
SplunkTrust

In details page, try something like this

your base search [|stats count | eval YourIdFieldName="$id_list$" | table YourIdFieldName | mvexpand YourIdFieldName | format] | ...rest of the query

Update:

If you are searching (in index=cdr ) field named cdrid (means index=cdr and cdrid=3402896d73b6040a1e10bb573d3feff7 gives you result) then try this:

your base search [|stats count | eval YourIdFieldName="$id_list$"  | makemv delim="," cdrid | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip

If you just want to search literal value of id 3402896d73b6040a1e10bb573d3feff7 ( means index=cdr "3402896d73b6040a1e10bb573d3feff7" gives you result) then try this

your base search [|stats count | eval search="$id_list$"  | makemv delim="," search| table search| mvexpand search| format] | table ic_ip og_ip

View solution in original post

Highlighted

Re: match field agains comma seperated list

Explorer

This doesn't seem to work for me, probably because i don't understand whats happening here. If I open the dashboard in search heres the search command that the view is executing

index=cdr  [|stats count | eval cdrid="3402896d73b6040a1e10bb573d3feff7,6d0b5ef195848800f398d19860f0138e,b2a7e24d81515701bc9f9a111f545793" | table cdrid | mvexpand cdrid | format] | table ic_ip og_ip

if i search the id's individually they exist. Have I got something wrong here ?

0 Karma
Highlighted

Re: match field agains comma seperated list

SplunkTrust
SplunkTrust

I missed one part my answer earlier. Try updated answer.

0 Karma