Splunk Search

Why am I unable to pass values across to multivalue fields?

ssadh_splunk
Splunk Employee
Splunk Employee

Hi,

I am trying to build a dashboard with 4 MultiValue Input fields.

MV_field1 with Values MVF1_A, MVF1_B,..... MVF1_N (so on)
MV_field2 with Values MVF2_A,MVF2_B,......MVF2_N
MV_field3 with Values MVF3_A,MVF3_B,......MVF3_N
MV_field4 with Values MVF4_A,MVF4_B,......MVF4_N

MV_field2 values depend on MV_field1, MV_field3 depends on MV_field2 and so on..

The data is coming from a lookup and the field values are populating for MV_field1 based on this search

| inputlookup mylookup.csv
| fields "fieldA" 
| dedup fieldA

MV_field2 values are dynamically getting populated by using below search, based on the values I chose from first multivalue input list

| inputlookup mylookup.csv
| search "fieldA" IN ($fieldA$)
| dedup fieldB
| fields "fieldB"

However, when I select multiple values in MV_field2 along with MV_field1, my third MV_field3 list doest get populated. It gets stuck with message, "Could not create Search." and mouse over shows the message, "Search is waiting for input"

The search I am using to populate the third input is as below:

| inputlookup mylookup.csv
| search  ("fieldA" IN ($fieldA$)) AND (fieldB IN $fieldB$)
| fields fieldC
| dedup fieldC

Any pointers would be greatly appreciated.

0 Karma

niketn
Legend

@ssadh would it be possible for you to share the Simple XML code for multi-value fields?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If the syntax of your second search is working, then format the second half of your third search exactly the way that worked ... ("fieldB" IN ($fieldB$)) .

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Check if the field names and token names used in your MV_field3 multiselect input query are correct (they are case sensitive). The message suggests that one of the tokens in that query is not resolving to a valid value.

0 Karma

ssadh_splunk
Splunk Employee
Splunk Employee

Yes, all spellings are correct and case sensitivity is followed across the dashboard.

0 Karma

Sukisen1981
Champion

i think you have been editing the same dashboard and saving your dashboard as you build on the tokens, save refresh 2-3 times, log out and log back in...i know it sounds silly but it might just work

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...