I use multisearch to build a list of search terms, then use them in different context, for building a "normal" search strings,and also at the beginning with a TERM. All these search strings have different formats:
index=info (TERM(something) OR TERM(something2)) .... | more processing | search field=something OR field=something
My approach is to use multiselect to build a list of search terms, then use it in others multiselect as an input.
Because I know all possible values for the search terms, I use makeresults instead of search.
How to make the second and third multiselect to use input from the first multiselect?
<form version="1.1">
<label>Test</label>
<description>Test</description>
<fieldset autoRun="true">
<input type="multiselect" token="log_level_csv">
<fieldForLabel>log_level</fieldForLabel>
<fieldForValue>log_level</fieldForValue>
<default>ERROR</default>
<search>
<query>| makeresults | eval log_levels="INFO WARN ERROR" | makemv delim=" " log_levels | mvexpand log_levels | stats count by log_levels</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
<label>Log_Level from static makeresults</label>
</input>
<input type="multiselect" token="TERM" autoRun="false">
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>TERM(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<label>TERM</label>
<search>
<query>| makeresults | eval log_levels="$log_level_csv$" | makemv delim=" " log_levels | mvexpand log_levels | stats count by log_levels</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</input>
<input type="multiselect" token="log_level_search">
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>log_level=</valuePrefix>
<valueSuffix></valueSuffix>
<delimiter> OR </delimiter>
<label>Search</label>
<search>
<query>| makeresults | eval log_levels="$log_level_csv$" | makemv delim=" " log_levels | mvexpand log_levels | stats count by log_levels</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<table>
<title>Table of events</title>
<search>
<query> index=_internal $TERM$ | where $log_level_search$ </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</table>
</row>
</form>
Use a change handler to set up a new token, something like this:
<form version="1.1">
<label>Multiselect Duplicated</label>
<fieldset submitButton="false" autoRun="true">
<input type="multiselect" token="term_choices" searchWhenChanged="true">
<label></label>
<choice value="INFO">INFO</choice>
<choice value="WARN">WARN</choice>
<choice value="ERROR">ERROR</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>TERM(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<change>
<eval token="log_level_search">mvjoin(mvappend("field IN (",mvjoin($form.term_choices$,","),")"),"")</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<html>
<p>TERM choices: $term_choices$</p>
<p>log search: $log_level_search$</p>
</html>
</panel>
</row>
</form>
Note the use of $form.token_name$ rather than $token_name$ as this is the multivalued version of the token without the prefixes, suffixes and delimiters.
Use a change handler to set up a new token, something like this:
<form version="1.1">
<label>Multiselect Duplicated</label>
<fieldset submitButton="false" autoRun="true">
<input type="multiselect" token="term_choices" searchWhenChanged="true">
<label></label>
<choice value="INFO">INFO</choice>
<choice value="WARN">WARN</choice>
<choice value="ERROR">ERROR</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>TERM(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<change>
<eval token="log_level_search">mvjoin(mvappend("field IN (",mvjoin($form.term_choices$,","),")"),"")</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<html>
<p>TERM choices: $term_choices$</p>
<p>log search: $log_level_search$</p>
</html>
</panel>
</row>
</form>
Note the use of $form.token_name$ rather than $token_name$ as this is the multivalued version of the token without the prefixes, suffixes and delimiters.
thank you @ITWhisperer
IN requires quotes, so I've modified it a bit:
<eval token="log_level_search">mvjoin(mvappend("log_level IN (\"",mvjoin( $form.term_choices$,"\",\""),"\")"),"")</eval>
Hi @pavelpro
As it's multiselect the token can be a multikv so each subsequent selection search needs to account for that. Something like this should work...
<form version="1.1">
<label>Test</label>
<description>Test</description>
<fieldset autoRun="true">
<input type="multiselect" token="log_level_csv">
<default>ERROR</default>
<search>
<query/>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<label>Log_Levels (static)</label>
<delimiter> </delimiter>
<choice value="INFO">INFO</choice>
<choice value="WARN">WARN</choice>
<choice value="ERROR">ERROR</choice>
</input>
<input type="multiselect" token="myTerms" searchWhenChanged="true">
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>TERM(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<label>TERM</label>
<search>
<query>| makeresults
| eval log_levels=split("$log_level_csv$", " ")
| mvexpand log_levels
| eval terms=case(
log_levels="INFO", mvappend("info_term1", "info_term2", "info_term3")
,log_levels="WARN", mvappend("warn_term1", "warn_term2", "warn_term3")
,log_levels="ERROR", mvappend("err_term1", "err_term2", "err_term3")
)
| mvexpand terms
| table terms</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<fieldForLabel>terms</fieldForLabel>
<fieldForValue>terms</fieldForValue>
</input>
<input type="multiselect" token="log_level_search">
<prefix>log_level IN(</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter>
<label>Search</label>
<search>
<query>| makeresults
| eval log_levels=split("$log_level_csv$", " ")
| mvexpand log_levels
| eval log_level_search=case(
log_levels="INFO", "INFO"
,log_levels="WARN", "WARN"
,log_levels="ERROR", "ERROR"
)
| table log_level_search</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<fieldForLabel>log_level_search</fieldForLabel>
<fieldForValue>log_level_search</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<html>log_level_csv: $log_level_csv$<br/>
myTerm: $myTerms$<br/>
log_level_search: $log_level_search$<br/>
</html>
</panel>
<panel>
<table>
<title>Table of events</title>
<search>
<query> index=_internal $myTerms$ | where $log_level_search$ | head 10</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
Hope it helps
thank you @yeahnah , this was the key "As it's multiselect the token can be a multikv so each subsequent selection search needs to account for that. "
Hello @yeahnah
thanks, your xml works, but the results of the first input doesn't get authomatically populated in the following inputs.
Asked differently, is it possible to use only one multiselect input to get this SPL:
index=info (TERM(ERROR) OR TERM(WARN)) .... | more processing | search field=ERROR OR field=WARN
So basically the result of multiselect input get formated once as "(TERM(ERROR) OR TERM(WARN))" and later as "field=ERROR OR field=WARN".
My idea was to use one main multiselect, where I define one or several "terms", this result is used as a token in subsequent inputs (which should be hidden if possible), get formated using appropriate prefix/suffix/delimeter and used in the search string as:
index=info $term$ .... | more processing | search $log_level_search$