I have to filter the events by matching against the comma separated values. For example,
I have an input text box field. If I type 123, 231, 356, I have to filter the events by matching against the comma separated fields.
It should be ('123' OR '231' OR '356'). I have tried assigning the exact string to the searchmatch()
function. But seems like it ANDing the values instead of OR. Following is my query:
<dashboard>
<label>Filter Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="filter_tok" searchWhenChanged="true">
<label>Filter</label>
<initialValue>*</initialValue>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>My Panel</title>
<event>
<search>
<query>index=* | where searchmatch("$filter_tok$") </query>
<earliest>-30m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</dashboard>
How to achieve this? Please suggest.
HI
Can you please try this?
<dashboard>
<label>Filter Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="filter_tok" searchWhenChanged="true">
<label>Filter</label>
<initialValue>*</initialValue>
<default>*</default>
</input>
</fieldset>
<search>
<query>| makeresults | eval value="$filter_tok$" | makemv delim="," value | mvexpand value | stats delim=" OR " values(value) as value | mvcombine value </query>
<done>
<set token="myToken">$result.value$</set>
</done>
</search>
<row>
<panel>
<title>My Panel $myToken$</title>
<event>
<search>
<query>index=* | where searchmatch("$myToken$") </query>
<earliest>-30m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</dashboard>
Thanks
HI
Can you please try this?
<dashboard>
<label>Filter Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="filter_tok" searchWhenChanged="true">
<label>Filter</label>
<initialValue>*</initialValue>
<default>*</default>
</input>
</fieldset>
<search>
<query>| makeresults | eval value="$filter_tok$" | makemv delim="," value | mvexpand value | stats delim=" OR " values(value) as value | mvcombine value </query>
<done>
<set token="myToken">$result.value$</set>
</done>
</search>
<row>
<panel>
<title>My Panel $myToken$</title>
<event>
<search>
<query>index=* | where searchmatch("$myToken$") </query>
<earliest>-30m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</dashboard>
Thanks
Excellent. Worked perfectly fine. Thanks a lot @kamlesh_vaghela
Try with IN clause.
i.e Following query only prints events from two hosts as mentioned in the IN clause.
index=main host IN ("CDSLMAC02.local","127.0.0.1")
@hardikJsheth I need to perform a random search. Not specified to any field
@Naren26, I got it.
The best solution would be to replace coma with OR from token in java script .
i.e index=main "CDSLMAC02.local" OR "127.0.0.1"