Hi all,
I have 2 multiselect dropdowns. One is dependent on other dropdown.
The first drop down has groups and second has sub groups. I am facing some problem in appending the subgroup value to the respective group.
For example, lets assume that group has values a b c and only c has subgroup that is x ,y. I want to append that subgroup as c_x and c_y and pass it to the query.
I tried adding suffix in dropdown itself. But when the tokens are selected in any order it is adding the sub group to whole token, that is if i select b,c,a it will add subgroup as b,c,a_x and b,c,a_y.
Any suggestions on how can i correctly append the sub group to respective groups and use it in the query.
Hi @anooshac ,
you can use in the first multivalue the following search:
| makeresults
| eval group="a"
| append [| makeresults | eval group="b"]
| append [| makeresults | eval group="c", subgroup="x"]
| append [| makeresults | eval group="c", subgroup="y"]
| dedup group
| sort group
| table group
and in the second multivalue the following search:
| makeresults
| eval group="a"
| append [| makeresults | eval group="b"]
| append [| makeresults | eval group="c", subgroup="x"]
| append [| makeresults | eval group="c", subgroup="y"]
| table group subgroup
| search group=$group$
| eval value=group.if(isnotnull(subgroup),"_".subgroup,"")
then you can use the second value in your panels.
Obviously thgis is a sample to adapt to your search.
Ciao.
Giuseppe
Hi, @gcusello ,
Thanks for the reply. I have one concern, in the mutliselect dropdown the values selected will be a,b,c or b,c,a etc which will be comma separated.
In such conditions will this logic will work?
Hi @anooshac,
my sample is a sample without any logic except the one you described.
So the order of values isn't relevant and can also be different.
If you have many values, I hint to use a lookup.
Ciao.
Giuseppe
Thank you @gcusello , I'll try using lookup.
Hi @anooshac ,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉