Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiselect returns no rows in every condition

altink
Builder
‎12-27-2017 01:19 PM

Dear support,

I tried to build a multi-select control and use it in a search, but I have "Search is waiting for input... ",
in every case of the input being to default *, single value or multi value.

I followed exactly (tried) the example given in the Doc "Multiselect input example";
link text

My code is below:

    <input type="multiselect" token="field_nt_event_id" searchWhenChanged="false">
      <label>Select one or more field_nt_event_id</label>
      <choice value="*">All</choice>
      <choice value="4">name04</choice>
      <choice value="8">name08</choice>
      <choice value="12">name12</choice>

      <!--      Build multiselect search: 
        (sourcetype ="value1" OR sourcetype ="value2" OR ...)
      -->
      <prefix>(</prefix>
      <valuePrefix>NT_EVENT_ID ="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <suffix>)</suffix>

    </input>

      <table>
        <search>
          <query>`mc_gen`
          | search DB_NAME=$field_db_name$ NT_EVENT_ID=$field_nt_event_id$ 
          | table _time DB_HOST NT_RECORD_NO DB_NAME NT_EVENT_ID NT_TYPE NT_MESSAGE 
    </query>
          <earliest>$field_time.earliest$</earliest>
          <latest>$field_time.latest$</latest>
        </search>
        <option name="count">16</option>
        <option name="rowNumbers">true</option>
        <option name="wrap">false</option>
      </table>

The records are there (4,8,12 and more).

Can someone help ?

thanks and regards
Altin

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎12-28-2017 01:09 AM

Just remove NT_EVENT_ID= from your code.
below code will work

   <input type="multiselect" token="field_nt_event_id" searchWhenChanged="false">
       <label>Select one or more field_nt_event_id</label>
       <choice value="*">All</choice>
       <choice value="4">name04</choice>
       <choice value="8">name08</choice>
       <choice value="12">name12</choice>

       <!--      Build multiselect search: 
         (sourcetype ="value1" OR sourcetype ="value2" OR ...)
       -->
       <prefix>(</prefix>
       <valuePrefix>NT_EVENT_ID ="</valuePrefix>
       <valueSuffix>"</valueSuffix>
       <delimiter> OR </delimiter>
       <suffix>)</suffix>

     </input>

       <table>
         <search>
           <query>`mc_gen`
           | search DB_NAME=$field_db_name$ $field_nt_event_id$ 
           | table _time DB_HOST NT_RECORD_NO DB_NAME NT_EVENT_ID NT_TYPE NT_MESSAGE 
     </query>
           <earliest>$field_time.earliest$</earliest>
           <latest>$field_time.latest$</latest>
         </search>
         <option name="count">16</option>
         <option name="rowNumbers">true</option>
         <option name="wrap">false</option>
       </table>

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-28-2017 03:44 AM

@altink, in order to debug add title to table so that you can display your token values

   <table>
     <title>$field_db_name$ - $field_nt_event_id$</title>

Please see which token value is not being set.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎12-28-2017 04:12 AM

Thank you very much @nikita_p and @niketn

I added the debug table title and get the following result (tested with a Database set to *)

Multiselect Output
Empty "" - $field_nt_event_id$
All "" - (NT_EVENT_ID ="")
44444 "" - (NT_EVENT_ID ="4")
88888 "" - (NT_EVENT_ID ="8")
44444 and 88888 "" - (NT_EVENT_ID ="4" OR NT_EVENT_ID ="8")

best regards
Altin

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎12-28-2017 01:09 AM

Just remove NT_EVENT_ID= from your code.
below code will work

   <input type="multiselect" token="field_nt_event_id" searchWhenChanged="false">
       <label>Select one or more field_nt_event_id</label>
       <choice value="*">All</choice>
       <choice value="4">name04</choice>
       <choice value="8">name08</choice>
       <choice value="12">name12</choice>

       <!--      Build multiselect search: 
         (sourcetype ="value1" OR sourcetype ="value2" OR ...)
       -->
       <prefix>(</prefix>
       <valuePrefix>NT_EVENT_ID ="</valuePrefix>
       <valueSuffix>"</valueSuffix>
       <delimiter> OR </delimiter>
       <suffix>)</suffix>

     </input>

       <table>
         <search>
           <query>`mc_gen`
           | search DB_NAME=$field_db_name$ $field_nt_event_id$ 
           | table _time DB_HOST NT_RECORD_NO DB_NAME NT_EVENT_ID NT_TYPE NT_MESSAGE 
     </query>
           <earliest>$field_time.earliest$</earliest>
           <latest>$field_time.latest$</latest>
         </search>
         <option name="count">16</option>
         <option name="rowNumbers">true</option>
         <option name="wrap">false</option>
       </table>
Reply
Solved! Jump to solution

altink
Builder
‎12-28-2017 04:32 AM

thank you very much @493669

but code pasted looks the same
did you mean replace 

 <valuePrefix>NT_EVENT_ID ="</valuePrefix>
with
 <valuePrefix>"</valuePrefix>

?

best regards
Altin

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎12-28-2017 04:36 AM

Hi @altink
your token $field_nt_event_id$ already has NT_EVENT_ID=""
so just replace NT_EVENT_ID=$field_nt_event_id$ by $field_nt_event_id$

Reply
Solved! Jump to solution

altink
Builder
‎12-28-2017 04:47 AM

thank you very much
I did that and I do get "Search is waiting for input...." in every multi-select combination

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎12-28-2017 05:09 AM

Your answer is correct @493669
remove of the NT_EVENT_ID= made it.

I think my initial "Search is waiting for input...." happened because I hadn't refreshed the form.
The DB_NAME is OK whenever as a value or as *

Thank you very much,
best regards
Altin

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎12-28-2017 05:04 AM

it means $field_db_name$ is also not set properly so if you could share xml for that input also

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎12-28-2017 04:41 AM

and not sure where you have set $field_db_name$ If you could share xml for that input also

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎12-27-2017 10:09 PM

Hi @altink,
Could you check splunk answer in below link. It might help you.
https://answers.splunk.com/answers/529581/how-use-multiselect-to-pass-multiple-selected-valu.html

Also check below splunk docs for token usage.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/tokens

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎12-27-2017 02:50 PM

Your search references $field_db_name$, which doesn't appear to be set in any inputs. Is this a typo, or is it intended to be set by an input that isn't actually present?

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎12-28-2017 04:29 AM

It is an existing input that is not displayed. It is set to * default at the input element (dropdown).

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...