- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing multivalue field with single value field...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was looking for a way to input multiple text inputs on a dashboard and searching the inputs against a single value field, and I have concluded that splunk has no other way to handle multi text input with the exception of created an inputlookup table or creating a multivalue input and using makemv and mvexpand. (correct me if i am wrong). And i do not want to create a inputlookup table
Problem now is how would i compare the values in the multivalue field and a single value field
Below is my spl:
mysearch [stats count| eval my_mv="$IPs$"|makemv my_mv delim="," | mvexpand my_mv ]
basically i have an input of multiple IPs(my_mv) and i want to search these IPs against an existing srcip field and return the events associated with the matched srcip.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A multiselect input field can produce an output token value that looks like...
( ( field1="value1" ) OR ( field1="value2" ) OR ( field1="value3" ) ... )
You do that by setting the input's <valueprefix> and <valuesuffix> and <delimiter> tags.
See this for more info https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/PanelreferenceforSimplifiedXML
You can create a similar effect in code, by putting the code inside the brackets of a subsearch, using the format command with parameters as desired, and then optionally using a rex mode=sed field=search "s/some thing/some other thing/g" command to customize some thing into some other thing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A multiselect input field can produce an output token value that looks like...
( ( field1="value1" ) OR ( field1="value2" ) OR ( field1="value3" ) ... )
You do that by setting the input's <valueprefix> and <valuesuffix> and <delimiter> tags.
See this for more info https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/PanelreferenceforSimplifiedXML
You can create a similar effect in code, by putting the code inside the brackets of a subsearch, using the format command with parameters as desired, and then optionally using a rex mode=sed field=search "s/some thing/some other thing/g" command to customize some thing into some other thing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using Splunk 6.6 OR above, you get an IN operator in your search command using which you can search multiple values. I belive something like this would work (for comma separated list of IPs)
mysearch src_ip IN ($IPs$)
See this for more details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2, i am aware of the IN operator for 6.6 and beyond, unfortunately, we would not be upgrading the Splunk platform anytime soon 😞
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
