Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to use match in an initial search execution?

nick405060
Motivator
‎06-05-2019 04:32 PM

Hey guys

So I would like to have a search select events from myindex based on what the user selects in a multiselect.

One way that I can think to do this is to do:

index=myindex ("some raw string that option1 represents ending in a space " AND match($multiselect$,"option1")) OR ("some raw string that option2 represents not ending in a space" AND match($multiselect$,"option2"))  OR ("some raw string that option3 represents ending in a space " AND match($multiselect$,"option3"))

However this option does not work. You cannot do a match in the initial search execution, as far as I can tell. Is this correct? I tried just index=myindex AND match("asdf","asdf") | head 1 and that doesn't work. I could eval temp="$multiselect$" and then match(temp,"option1") however that is not an elegant solution. I want to search for the strings during the initial search because that time complexity is exponentially better. Also I can't use valuePrefix/delimiter because the searched strings end in a white space per https://answers.splunk.com/answers/750199/how-can-i-include-a-trailing-whitespace-in-a-multi.html

Thoughts?

0 Karma
Reply

maciep
Champion
‎06-05-2019 04:48 PM

if i add the space in the simple xml, it seems to honor it? See the valueSuffix below. When i went back to the gui, it kept the space.

<input type="multiselect" token="field1">
  <label>field1</label>
  <choice value="some raw text option1">option 1</choice>
  <choice value="some raw text option 2">option2</choice>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>"</valuePrefix>
  <valueSuffix> "</valueSuffix>
  <delimiter> OR </delimiter>
</input>
0 Karma
Reply

nick405060
Motivator
‎06-05-2019 04:56 PM

but not every value ends in a space. so I can't just add the suffix for all.

0 Karma
Reply

maciep
Champion
‎06-05-2019 05:21 PM

ah...rtfm...got it.

0 Karma
Reply

nick405060
Motivator
‎06-05-2019 05:40 PM

rtfm? there is zero in documentation about either question

0 Karma
Reply

maciep
Champion
‎06-05-2019 05:57 PM

oh sorry, that was a reference to me not reading your question closely ("read the f'ing manual").

how about including the quotes in the values instead of the prefix suffix?

   <input type="multiselect" token="field1">
      <label>field1</label>
      <choice value="&quot;some raw text option &quot;">option 1</choice>
      <choice value="&quot;some raw text option&quot;">option2</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix></valuePrefix>
      <valueSuffix></valueSuffix>
      <delimiter> OR </delimiter>
    </input>
0 Karma
Reply

nick405060
Motivator
‎06-10-2019 09:23 AM

Still dumps the white space.

0 Karma
Reply

nick405060
Motivator
‎06-05-2019 06:04 PM

o cool. will try tomorrow AM thx!!

0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...