Change & Condition within a multiselect with token

jmorenog · ‎05-25-2021

The first change condition is working fine but the second one I have where I setting a token with a different value is not.

What I want to do is to change the search query when the value is "All". And when the value has categories add the where to the query

Let me show what I have:

<input type="multiselect" token="categories" searchWhenChanged="false">
<label>Select Categories</label>
<fieldForLabel>category</fieldForLabel>
<fieldForValue>category</fieldForValue>
<search>
<query>index=abc "allcategories"
</search>
<valuePrefix>"</valuePrefix>
<choice value="*">All</choice>
<change>
<condition value="*">
<set token="search_filter1">index=abc </set>
</condition>
<condition>
<set token="search_filter1">index=abc | where category IN ($categories$)</set>
</condition>
</change>
</input>

Then I have a panel like this

<panel>
<title>Panel by categories</title>
<table>
<search>
<query>$search_filter1$ | stats count by category</query>
</search>
</table>
</panel>

ITWhisperer · ‎05-26-2021

You could do something like this:

<input type="multiselect" token="categories" searchWhenChanged="false">
    <label>Select Categories</label>
    <fieldForLabel>category</fieldForLabel>
    <fieldForValue>category</fieldForValue>
    <choice value="All">All</choice>
    <search>
       <query>index=abc  "allcategories"
    </search>
    <prefix>index=abc | where (</prefix>
    <valuePrefix>category="</valuePrefix>
    <valueSuffix>"</valueSuffix>
    <delimiter> OR </delimiter>
    <suffix>)</suffix>
    <change>
       <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")&gt;0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval>
       <eval token="search_filter1">if(mvfind('form.categories',"All")=0,"index=abc",$categories$)</eval>
   </change>
</input>

Things to note: the static choice of All is first - this is required so that the mvfind will return 0 if All has been selected; the case in the first eval does a number of things, it sets the default to "All", it sets the field to just "All" if "All" is selected when there are other choices selected, it removes "All" if other choices are selected after "All"; the second eval sets the search filter based on whether "All" is at the beginning of the selection; rather than using IN, this builds a set of OR'd comparisons, you could modify it to generate an IN clause if you prefer.

bowesmana · ‎05-25-2021

@jmorenog

<change> is not officially supported for multiselect inputs, see https://docs.splunk.com/Documentation/Splunk/8.1.4/Viz/PanelreferenceforSimplifiedXML#input_.28form....

I am not sure what will happen with <change> in that context, but your definition of the multiselect only has a valuePrefix, no suffix, delimeter or token prefix/suffix, so not sure what $categories$ will represent when you add/remove options.

jmorenog · ‎05-26-2021

Thanks for your answer @bowesmana

Ohh I didn't know change is not support for multiselect. Thanks

I forgot to add those values but here they go:

There are 4 categories: A, B, C, D in the multiselect. If there are categories selected in the input, I want to add to the query "| where category IN ($categories$)". But if is "All" I don't want that statement.

Change & Condition within a multiselect with token

simple XML

token

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...