Hi
I have a form that allows users to enter an ID, which will then be populated in a search.
Is there a way to let users put in X number of ID's and have them all searched?
I've not been able to work out a way to do this as my query is something like:
index=beacon id=$id$ | chart count by country
To allow them to put in multiple IDs, all I can think of would be to have:
index=beacon id=$id$ OR id=$id2$ OR id=$id3$| chart count by country
but then you'd need to know ahead of time how many IDs were going to be passed in.
Thanks
Yes, this is possible. The best way to do it would be to replace your existing input (I'm assuming it's probably a text box) to a multi-select input with an "OR" delimiter. Here's an example:
<input searchWhenChanged="true" token="id" type="multiselect">
<label>ID</label>
<default>*</default>
<choice value="*">All</choice>
<populatingSearch fieldForLabel="id" fieldForValue="id"> .... | stats count by id</populatingSearch>
<delimiter> OR id=</delimiter>
I also recommend putting parenthesis around the token in your results search, as Splunk is going to append "OR id=x, id=y, etc." for as many IDs as your user chooses from the input.
i.e.
index=beacon (id=$id$) | chart count by country
I have same problem too.
mine just a simple question as
there is an input to search data in 1 single sourcetype by using UID
as now, the UID column only allow 1 UID to search
how to make it to able multiple search , as my customer would like to input "uid1 uid2 uid3 uid4.."
Would you be able to force/convince your users to delimit the id's they enter? If you can, then maybe you can pipe to where instead.
For example, if the id's were semicolon delimited, your search might be able to look something like this:
index=beacon | eval id_list= ltrim($ids$,";") | eval id_list= rtrim(id_list,";") | eval id_list= ";".id_list.";" | where match (id_list,";".id.";") |chart count by country
The first few evals are just trying to ensure that we have opening and closing semicolons, and then we only pipe to where the id (surrounded by semicolons) is found in that string
Yes, this is possible. The best way to do it would be to replace your existing input (I'm assuming it's probably a text box) to a multi-select input with an "OR" delimiter. Here's an example:
<input searchWhenChanged="true" token="id" type="multiselect">
<label>ID</label>
<default>*</default>
<choice value="*">All</choice>
<populatingSearch fieldForLabel="id" fieldForValue="id"> .... | stats count by id</populatingSearch>
<delimiter> OR id=</delimiter>
I also recommend putting parenthesis around the token in your results search, as Splunk is going to append "OR id=x, id=y, etc." for as many IDs as your user chooses from the input.
i.e.
index=beacon (id=$id$) | chart count by country
Hi,
Try using this sample code below:
<form>
<label>Test Form</label>
<description></description>
<fieldset autoRun="true" submitButton="false">
<input type="text" token="limit" searchWhenChanged="true">
<label>Folder Name</label>
</input>
<input type="text" token="limit2" searchWhenChanged="true">
<label>Workflow Name</label>
</input>
<input type="text" token="limit3" searchWhenChanged="true">
<label>Session Name</label>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="_internal"|eval text1="$limit$"|eval text2="$limit2$"|eval text3="$limit3$" |table text1 text2 text3</query>
<earliest>0</earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
</form>
Thanks, my problem though is I don't know if they will put in 1 ID, 3, 20 (or any number)