Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reuse multiselect results in search?

pavelpro
Explorer
‎05-14-2023 02:16 PM

I use multisearch to build a list of search terms, then use them in different context, for building a "normal" search strings,and also at the beginning with a TERM. All these search strings have different formats:

index=info (TERM(something) OR TERM(something2)) .... | more processing | search field=something OR field=something 

My approach is to use multiselect to build a list of search terms, then use it in others multiselect as an input.

Because I know all possible values for the search terms, I use makeresults instead of search.

How to make the second and  third multiselect  to use input from the first multiselect?

 

<form version="1.1">
    <label>Test</label>
    <description>Test</description>
    <fieldset autoRun="true">
        <input type="multiselect" token="log_level_csv">
            <fieldForLabel>log_level</fieldForLabel>
            <fieldForValue>log_level</fieldForValue>
            <default>ERROR</default>
            <search>
                <query>| makeresults | eval log_levels="INFO WARN ERROR" | makemv delim=" " log_levels | mvexpand log_levels | stats count by log_levels</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
            <label>Log_Level from static makeresults</label>
        </input>

        <input type="multiselect" token="TERM" autoRun="false">
          <prefix>(</prefix>
          <suffix>)</suffix>
          <valuePrefix>TERM(</valuePrefix>
          <valueSuffix>)</valueSuffix>
          <delimiter> OR </delimiter>
          <label>TERM</label>
                <search>
                    <query>| makeresults | eval log_levels="$log_level_csv$" | makemv delim=" " log_levels | mvexpand log_levels | stats count by log_levels</query>
                    <earliest>-24h</earliest>
                    <latest>now</latest>
                </search>

        </input>

        <input type="multiselect" token="log_level_search">
          <prefix>(</prefix>
          <suffix>)</suffix>
          <valuePrefix>log_level=</valuePrefix>
          <valueSuffix></valueSuffix>
          <delimiter> OR </delimiter>
          <label>Search</label>
                <search>
                    <query>| makeresults | eval log_levels="$log_level_csv$" | makemv delim=" " log_levels | mvexpand log_levels | stats count by log_levels</query>
                    <earliest>-24h</earliest>
                    <latest>now</latest>
                </search>

        </input>


    </fieldset>
    <row>
        <table>
            <title>Table of events</title>
            <search>
                <query> index=_internal $TERM$ | where $log_level_search$ </query>
                <earliest>-24h@h</earliest>
                <latest>now</latest>
            </search>
        </table>
    </row>
</form>

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-15-2023 01:06 AM

Use a change handler to set up a new token, something like this:

<form version="1.1">
  <label>Multiselect Duplicated</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="multiselect" token="term_choices" searchWhenChanged="true">
      <label></label>
      <choice value="INFO">INFO</choice>
      <choice value="WARN">WARN</choice>
      <choice value="ERROR">ERROR</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>TERM(</valuePrefix>
      <valueSuffix>)</valueSuffix>
      <delimiter> OR </delimiter>
      <change>
        <eval token="log_level_search">mvjoin(mvappend("field IN (",mvjoin($form.term_choices$,","),")"),"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <p>TERM choices: $term_choices$</p>
        <p>log search: $log_level_search$</p>
      </html>
    </panel>
  </row>
</form>

Note the use of $form.token_name$ rather than $token_name$ as this is the multivalued version of the token without the prefixes, suffixes and delimiters.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-15-2023 01:06 AM

Use a change handler to set up a new token, something like this:

<form version="1.1">
  <label>Multiselect Duplicated</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="multiselect" token="term_choices" searchWhenChanged="true">
      <label></label>
      <choice value="INFO">INFO</choice>
      <choice value="WARN">WARN</choice>
      <choice value="ERROR">ERROR</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>TERM(</valuePrefix>
      <valueSuffix>)</valueSuffix>
      <delimiter> OR </delimiter>
      <change>
        <eval token="log_level_search">mvjoin(mvappend("field IN (",mvjoin($form.term_choices$,","),")"),"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <p>TERM choices: $term_choices$</p>
        <p>log search: $log_level_search$</p>
      </html>
    </panel>
  </row>
</form>

Note the use of $form.token_name$ rather than $token_name$ as this is the multivalued version of the token without the prefixes, suffixes and delimiters.

Reply
Solved! Jump to solution

pavelpro
Explorer
‎05-15-2023 04:43 AM

thank you @ITWhisperer 

IN requires quotes, so I've modified it a bit:

<eval token="log_level_search">mvjoin(mvappend("log_level IN (\"",mvjoin( $form.term_choices$,"\",\""),"\")"),"")</eval>
0 Karma
Reply
Solved! Jump to solution

yeahnah
Motivator
‎05-14-2023 05:13 PM

Hi @pavelpro 

As it's multiselect the token can be a multikv so each subsequent selection search needs to account for that.  Something like this should work...

<form version="1.1">
  <label>Test</label>
  <description>Test</description>
  <fieldset autoRun="true">
    <input type="multiselect" token="log_level_csv">
      <default>ERROR</default>
      <search>
        <query/>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <label>Log_Levels (static)</label>
      <delimiter> </delimiter>
      <choice value="INFO">INFO</choice>
      <choice value="WARN">WARN</choice>
      <choice value="ERROR">ERROR</choice>
    </input>
    <input type="multiselect" token="myTerms" searchWhenChanged="true">
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>TERM(</valuePrefix>
      <valueSuffix>)</valueSuffix>
      <delimiter> OR </delimiter>
      <label>TERM</label>
      <search>
        <query>| makeresults
| eval log_levels=split("$log_level_csv$", " ")
| mvexpand log_levels
| eval terms=case(
    log_levels="INFO", mvappend("info_term1", "info_term2", "info_term3")
   ,log_levels="WARN", mvappend("warn_term1", "warn_term2", "warn_term3")
   ,log_levels="ERROR", mvappend("err_term1", "err_term2", "err_term3")
   )
| mvexpand terms
| table terms</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>terms</fieldForLabel>
      <fieldForValue>terms</fieldForValue>
    </input>
    <input type="multiselect" token="log_level_search">
      <prefix>log_level IN(</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>, </delimiter>
      <label>Search</label>
      <search>
        <query>| makeresults
| eval log_levels=split("$log_level_csv$", " ")
| mvexpand log_levels
| eval log_level_search=case(
    log_levels="INFO", "INFO"
   ,log_levels="WARN", "WARN"
   ,log_levels="ERROR", "ERROR"
   )
| table log_level_search</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>log_level_search</fieldForLabel>
      <fieldForValue>log_level_search</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>log_level_csv: $log_level_csv$<br/>
            myTerm: $myTerms$<br/>
            log_level_search: $log_level_search$<br/>
      </html>
    </panel>
    <panel>
      <table>
        <title>Table of events</title>
        <search>
          <query> index=_internal $myTerms$ | where $log_level_search$ | head 10</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

 Hope it helps

Reply
Solved! Jump to solution

pavelpro
Explorer
‎05-15-2023 04:44 AM

thank you @yeahnah , this was the key "As it's multiselect the token can be a multikv so each subsequent selection search needs to account for that. "

0 Karma
Reply
Solved! Jump to solution

pavelpro
Explorer
‎05-14-2023 11:45 PM

Hello @yeahnah 

thanks, your xml works, but the results of the first input doesn't get authomatically populated in the following inputs.

Asked differently, is it possible to use only one multiselect input to get this SPL:

index=info (TERM(ERROR) OR TERM(WARN)) .... | more processing | search field=ERROR OR field=WARN

So basically the result of multiselect input get formated once as "(TERM(ERROR) OR TERM(WARN))" and later as "field=ERROR OR field=WARN".

My idea was to use one main multiselect, where I define one or several "terms", this result is used as a token in subsequent inputs (which should be hidden if possible), get formated using appropriate prefix/suffix/delimeter and used in the search string as:

index=info $term$ .... | more processing | search $log_level_search$

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...