Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to use match in an initial search execution?

nick405060
Motivator
‎06-05-2019 04:32 PM

Hey guys

So I would like to have a search select events from myindex based on what the user selects in a multiselect.

One way that I can think to do this is to do:

index=myindex ("some raw string that option1 represents ending in a space " AND match($multiselect$,"option1")) OR ("some raw string that option2 represents not ending in a space" AND match($multiselect$,"option2"))  OR ("some raw string that option3 represents ending in a space " AND match($multiselect$,"option3"))

However this option does not work. You cannot do a match in the initial search execution, as far as I can tell. Is this correct? I tried just index=myindex AND match("asdf","asdf") | head 1 and that doesn't work. I could eval temp="$multiselect$" and then match(temp,"option1") however that is not an elegant solution. I want to search for the strings during the initial search because that time complexity is exponentially better. Also I can't use valuePrefix/delimiter because the searched strings end in a white space per https://answers.splunk.com/answers/750199/how-can-i-include-a-trailing-whitespace-in-a-multi.html

Thoughts?

0 Karma
Reply

maciep
Champion
‎06-05-2019 04:48 PM

if i add the space in the simple xml, it seems to honor it? See the valueSuffix below. When i went back to the gui, it kept the space.

<input type="multiselect" token="field1">
  <label>field1</label>
  <choice value="some raw text option1">option 1</choice>
  <choice value="some raw text option 2">option2</choice>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>"</valuePrefix>
  <valueSuffix> "</valueSuffix>
  <delimiter> OR </delimiter>
</input>
0 Karma
Reply

nick405060
Motivator
‎06-05-2019 04:56 PM

but not every value ends in a space. so I can't just add the suffix for all.

0 Karma
Reply

maciep
Champion
‎06-05-2019 05:21 PM

ah...rtfm...got it.

0 Karma
Reply

nick405060
Motivator
‎06-05-2019 05:40 PM

rtfm? there is zero in documentation about either question

0 Karma
Reply

maciep
Champion
‎06-05-2019 05:57 PM

oh sorry, that was a reference to me not reading your question closely ("read the f'ing manual").

how about including the quotes in the values instead of the prefix suffix?

   <input type="multiselect" token="field1">
      <label>field1</label>
      <choice value="&quot;some raw text option &quot;">option 1</choice>
      <choice value="&quot;some raw text option&quot;">option2</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix></valuePrefix>
      <valueSuffix></valueSuffix>
      <delimiter> OR </delimiter>
    </input>
0 Karma
Reply

nick405060
Motivator
‎06-10-2019 09:23 AM

Still dumps the white space.

0 Karma
Reply

nick405060
Motivator
‎06-05-2019 06:04 PM

o cool. will try tomorrow AM thx!!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...