Splunk Search

How to get a multiselect form input to pass two types of values?

spammenot66
Contributor

When creating a search using pivot/data model, I can add a filter that looks something like:

FILTER Brand in (brand1,brand2,brand3) or FILTER Brand in (*) as default value

When running a regular search to filter by brand, the search would need to look something like:

search (Brand=brand1 OR Brand=brand3 OR Brand=brand3)

In my dashboard, I have a bunch of panels that use the pivot/data model. I also have multiple multiselect filters (that are dependent on another) for the dashboard that currently use pivot, but to make things run a little faster, I would like to use regular searches to populate the multiselect filter values.

Is there a way to pull the token value of the multiselect form which is delimited by ,, pass it into another token, and replace the comma delimiter with a new one, which would be OR Brand=?

For example, if the multiselect form is currently set up to pass value as (brand1,brand2,brand3), I would like to copy this token value and pass it into a new token value as (Brand=brand1 OR Brand=brand2 OR Brand=brand3)

thanks ahead of time.

0 Karma

twh1
Communicator

I had same issue. You can use the Delimiter as OR Brand= . After passing this delimiter, your query will look like below.

| search Brand=brand1 OR Brand=brand3 OR Brand=brand3
0 Karma

xlash911
Explorer

This doesn't work for the pivot though...

0 Karma

jeffland
SplunkTrust
SplunkTrust

If I didn't misunderstand your intention, you could get the whole result in one go with one multiselect. Define Token Prefix as (, Token Suffix as ), Token Value Prefix as Brand= and Delimiter as OR (that's space, OR, space). The resulting token should look like

(Brand=value1 OR Brand=value2 ...)

which could already be what you need.
Oh and on a side note, it might be useful to define quotes around your values in case they can contain non-alphanumerics. That'll require Token Value Prefix as Brand=" and one of either Delimiter as " OR or Token Value Suffix as ".

0 Karma

spammenot66
Contributor

i would like to use the Token from one multiselect for two different types of queries - 1) one for pivot query and 2) regular SPLUNK query.

Rather than creating 2 multiselect inputs for the Brand parameter, i would like to have one input that would populate both types of queries in. The reason i'm using two types is because pivot queries are essential for creating the majority of the the panels, but in some rare instance, i just need to get a list of all rows (in this case Brand) without doing a count on it (which pivot would automatically do). Using a regular splunk query to search for all unique brands would run a lot faster than getting a list of all brands with calculated hit count.

jeffland
SplunkTrust
SplunkTrust

How do you get a list of brands without any statistic function, of which count is the easiest? List and dedup is more expensive.

spammenot66
Contributor

Jeffland, thank you for your input! Sound like you're recommending an accelerated pivot table over list and dedup. I greatly appreciate the input.

0 Karma

jeffland
SplunkTrust
SplunkTrust

You're welcome 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...