Dashboards & Visualizations

Using Multiselect values in where clause

ChrisLa
New Member

Hello,

I'm creating a dashboard right now that uses a multiselect field to filter the data loaded into a table. The issue I'm having stems from the field I want to compare the multiselect values against. I'm pulling DOMAIN_NAME from the source field in the query, and I want to limit the results of the table to only logs that contain matching DOMAIN_NAMES values.

Here is the query I'm using to populate the multiselect:

host=hostnameindex="index" "BEA" | rex field=source "(?<LOG_DIRr>[\w\W/]+)/(?<DOMAIN_NAME>[^.]+)/(?<JVM_NAME>[^.]+)/(?<LOG_NAME>[^.]+).*" | dedup DOMAIN_NAME | stats count by DOMAIN_NAME

And here is the query I'm using for the table:

host=hostname index="index" "BEA" $domain_name_dropdown$ | rex field=source "(?&lt;LOG_DIRr&gt;[\w\W/]+)/(?&lt;DOMAIN_NAME&gt;[^.]+)/(?&lt;JVM_NAME&gt;[^.]+)/(?&lt;LOG_NAME&gt;[^.]+).*"  

I think this is because the DOMAIN_NAME values that I'm trying to search on haven't been captured yet in the search string.. So it's trying to search for DOMAIN_NAME in the logs (which is only in the source field) before doing the regex to actually pull the domain name out.

To combat this I tried using a where clause after the regex. This works beautifully when I only select one value in the multiselect. However, I cannot find a way to use a single where clause with multiple values.. I even tried using the prefix/suffix/delimiter values in the multiselect to build a whole where clause for each value, but that doesn't work.

Am I on the right track here or is there a better way to do this?

0 Karma

MattZerfas
Communicator

Try this for the search in your table instead.

host=hostname index="index" "BEA"  | rex field=source "(?<LOG_DIRr>[\w\W/]+)/(?<DOMAIN_NAME>[^.]+)/(?<JVM_NAME>[^.]+)/(?<LOG_NAME>[^.]+).*"  | search $domain_name_dropdown$

You might have to put an OR in the delimiter of the multiselect.

Basically you need to filter your results of your search after you extract your DOMAIN_NAME with the regex or the search doesn't know what it is. That is assuming I am reading your question correctly.

0 Karma

MattZerfas
Communicator

Yeah you can see what it used in the search. After it returns no results just hit "open in search" in the bottom right of the panel. Try this instead.

<label>DOMAIN NAME</label>
   <fieldForLabel>DOMAIN_NAME</fieldForLabel>
   <fieldForValue>DOMAIN_NAME</fieldForValue>
   <prefix>(DOMAIN_NAME=</prefix>
   <suffix>)</suffix>
   <delimiter> OR DOMAIN_NAME=</delimiter>
   <choice value="*">All</choice>
   <default>*</default>
0 Karma

ChrisLa
New Member

I think you understood the question, but it doesn't look like this is working either. If I don't select a domain name in the multiselect and just use the default of *, the search returns results. However if I select one or more domain names, it doesn't return any results.

  <label>DOMAIN NAME</label>
  <fieldForLabel>DOMAIN_NAME</fieldForLabel>
  <fieldForValue>DOMAIN_NAME</fieldForValue>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <delimiter>OR</delimiter>
  <choice value="*">All</choice>
  <default>*</default>

Is there any way to see the value of $domain_name_dropdown$ that is being used in the search?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...