Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass multiple parameters from a form input to a search?

ewanbrown
Path Finder
‎03-19-2015 05:53 AM

Hi

I have a form that allows users to enter an ID, which will then be populated in a search.

Is there a way to let users put in X number of ID's and have them all searched?

I've not been able to work out a way to do this as my query is something like:

index=beacon id=$id$ | chart count by country

To allow them to put in multiple IDs, all I can think of would be to have: 

index=beacon id=$id$  OR id=$id2$ OR id=$id3$| chart count by country

but then you'd need to know ahead of time how many IDs were going to be passed in.

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-19-2015 01:10 PM

Yes, this is possible. The best way to do it would be to replace your existing input (I'm assuming it's probably a text box) to a multi-select input with an "OR" delimiter. Here's an example:

<input searchWhenChanged="true" token="id" type="multiselect">
  <label>ID</label>
  <default>*</default>
  <choice value="*">All</choice>
  <populatingSearch fieldForLabel="id" fieldForValue="id"> .... | stats count by id</populatingSearch>
  <delimiter> OR id=</delimiter>

I also recommend putting parenthesis around the token in your results search, as Splunk is going to append "OR id=x, id=y, etc." for as many IDs as your user chooses from the input.

i.e.

index=beacon (id=$id$) | chart count by country

View solution in original post

Reply
Solved! Jump to solution

god2305
New Member
‎10-13-2015 02:49 AM

I have same problem too.

mine just a simple question as

there is an input to search data in 1 single sourcetype by using UID

as now, the UID column only allow 1 UID to search

how to make it to able multiple search , as my customer would like to input "uid1 uid2 uid3 uid4.."

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎03-19-2015 05:08 PM

Would you be able to force/convince your users to delimit the id's they enter? If you can, then maybe you can pipe to where instead.

For example, if the id's were semicolon delimited, your search might be able to look something like this:

index=beacon | eval id_list= ltrim($ids$,";") | eval id_list= rtrim(id_list,";") | eval id_list= ";".id_list.";" | where match (id_list,";".id.";") |chart count by country

The first few evals are just trying to ensure that we have opening and closing semicolons, and then we only pipe to where the id (surrounded by semicolons) is found in that string

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-19-2015 01:10 PM

Yes, this is possible. The best way to do it would be to replace your existing input (I'm assuming it's probably a text box) to a multi-select input with an "OR" delimiter. Here's an example:

<input searchWhenChanged="true" token="id" type="multiselect">
  <label>ID</label>
  <default>*</default>
  <choice value="*">All</choice>
  <populatingSearch fieldForLabel="id" fieldForValue="id"> .... | stats count by id</populatingSearch>
  <delimiter> OR id=</delimiter>

I also recommend putting parenthesis around the token in your results search, as Splunk is going to append "OR id=x, id=y, etc." for as many IDs as your user chooses from the input.

i.e.

index=beacon (id=$id$) | chart count by country
Reply
Solved! Jump to solution

harshal_chakran
Builder
‎03-19-2015 06:17 AM

Hi,
Try using this sample code below:

<form>
  <label>Test Form</label>
  <description></description>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="limit" searchWhenChanged="true">
      <label>Folder Name</label>
    </input>
    <input type="text" token="limit2" searchWhenChanged="true">
      <label>Workflow Name</label>
    </input>
    <input type="text" token="limit3" searchWhenChanged="true">
      <label>Session Name</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal"|eval text1="$limit$"|eval text2="$limit2$"|eval text3="$limit3$" |table text1 text2 text3</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

ewanbrown
Path Finder
‎03-19-2015 07:21 AM

Thanks, my problem though is I don't know if they will put in 1 ID, 3, 20 (or any number)

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...