Solved: How to filter events based on comma deilmeter?

Naren26 · ‎11-22-2017

I have to filter the events by matching against the comma separated values. For example,
I have an input text box field. If I type 123, 231, 356, I have to filter the events by matching against the comma separated fields.

It should be ('123' OR '231' OR '356'). I have tried assigning the exact string to the searchmatch() function. But seems like it ANDing the values instead of OR. Following is my query:

<dashboard>
  <label>Filter Dashboard</label>
  <fieldset submitButton="false" autoRun="true">    
    <input type="text" token="filter_tok" searchWhenChanged="true">
      <label>Filter</label>
      <initialValue>*</initialValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>My Panel</title>
      <event>
        <search>
          <query>index=* | where searchmatch("$filter_tok$") </query>
          <earliest>-30m@m</earliest>
          <latest>now</latest>         
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">5</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>

How to achieve this? Please suggest.

kamlesh_vaghela · ‎11-22-2017

HI

Can you please try this?

<dashboard>
   <label>Filter Dashboard</label>
   <fieldset submitButton="false" autoRun="true">    
     <input type="text" token="filter_tok" searchWhenChanged="true">
       <label>Filter</label>
       <initialValue>*</initialValue>
       <default>*</default>
     </input>
   </fieldset>
   <search>
           <query>| makeresults | eval value="$filter_tok$" | makemv delim="," value | mvexpand value | stats delim=" OR " values(value) as value | mvcombine value </query>
           <done>
             <set token="myToken">$result.value$</set>
           </done>
   </search>
   <row>
     <panel>
       <title>My Panel $myToken$</title>
       <event>
         <search>
           <query>index=* | where searchmatch("$myToken$") </query>
           <earliest>-30m@m</earliest>
           <latest>now</latest>         
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="count">5</option>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="rowNumbers">0</option>
         <option name="table.drilldown">all</option>
         <option name="table.sortDirection">asc</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
       </event>
     </panel>
   </row>
 </dashboard>

Thanks

View solution in original post

kamlesh_vaghela · ‎11-22-2017

HI

Can you please try this?

<dashboard>
   <label>Filter Dashboard</label>
   <fieldset submitButton="false" autoRun="true">    
     <input type="text" token="filter_tok" searchWhenChanged="true">
       <label>Filter</label>
       <initialValue>*</initialValue>
       <default>*</default>
     </input>
   </fieldset>
   <search>
           <query>| makeresults | eval value="$filter_tok$" | makemv delim="," value | mvexpand value | stats delim=" OR " values(value) as value | mvcombine value </query>
           <done>
             <set token="myToken">$result.value$</set>
           </done>
   </search>
   <row>
     <panel>
       <title>My Panel $myToken$</title>
       <event>
         <search>
           <query>index=* | where searchmatch("$myToken$") </query>
           <earliest>-30m@m</earliest>
           <latest>now</latest>         
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="count">5</option>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="rowNumbers">0</option>
         <option name="table.drilldown">all</option>
         <option name="table.sortDirection">asc</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
       </event>
     </panel>
   </row>
 </dashboard>

Thanks

Naren26 · ‎11-22-2017

Excellent. Worked perfectly fine. Thanks a lot @kamlesh_vaghela

hardikJsheth · ‎11-22-2017

Try with IN clause.

i.e Following query only prints events from two hosts as mentioned in the IN clause.

index=main  host IN ("CDSLMAC02.local","127.0.0.1")

Naren26 · ‎11-22-2017

@hardikJsheth I need to perform a random search. Not specified to any field

hardikJsheth · ‎11-22-2017

@Naren26, I got it.

The best solution would be to replace coma with OR from token in java script .

i.e index=main "CDSLMAC02.local" OR "127.0.0.1"

How to filter events based on comma deilmeter?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases