Dashboards & Visualizations

Check multiple fields against multiselect value?

eroffol
Path Finder

Is it possible to check multiple fields against a multiselect value?

For example:
My multiselect input has 2 values selected, NORMAL and SEVERE

I want my search to look like:

...
| where field1 == "NORMAL" OR field2 == "NORMAL" OR field1 == "SEVERE" OR field2 == "SEVERE"

I know I can achieve this by having 2 separate multiselects (one for each field), but I was wondering if it is possible to just use 1.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

After having your multiselect returning values in format "Value1,Value2" (you would need to adjust prefix/separator and other things), you can run query like this

.... | where [|gentimes start=-1 | eval field1=split("$multiselectToken",",") | table field1 | mvexpand field1] OR [|gentimes start=-1 | eval field2=split("$multiselectToken",",") | table field2 | mvexpand field2]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

After having your multiselect returning values in format "Value1,Value2" (you would need to adjust prefix/separator and other things), you can run query like this

.... | where [|gentimes start=-1 | eval field1=split("$multiselectToken",",") | table field1 | mvexpand field1] OR [|gentimes start=-1 | eval field2=split("$multiselectToken",",") | table field2 | mvexpand field2]
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...