@splunk_vb, if you are on Splunk 6.6 or later, this should be fairly easy with the IN operator for multiple value comparison. For previous versions of Splunk you may have to run an independent search to set multiple OR conditions similar to the one mentioned in your question. (PS: Search event handler <done> is used in version 6.5 or higher, which was <finalized> in version 6.4 or before.)
Please try the following run anywhere dashboard example based on Splunk's _internal index which has log_level values as INFO, WARN and ERROR for testing and showcasing both the scenarios:
Following is the Simple XML Code for screenshot attached:
<form>
<label>Text Box Multiple Value Filter</label>
<!-- Independent search to prepare filter data for Option 2-->
<search>
<query>| makeresults
| fields - _time
| eval filterData=$tokLogLevelOption2|s$
| eval filterData=replace(filterData,",","\" OR log_level=\"")</query>
<done>
<set token="tokLogLevelOption2Filter">$result.filterData$</set>
</done>
</search>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Select Time</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Option 1: Splunk 6.6 or higher with IN clause</title>
<input type="text" token="tokLogLevelOption1" searchWhenChanged="true">
<label>Log Level Filters ( INFO, ERROR and WARN)</label>
</input>
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level IN ($tokLogLevelOption1$)
| stats count by log_level</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Option 2: Splunk 6.5 or prior with OR clause</title>
<input type="text" token="tokLogLevelOption2" searchWhenChanged="true">
<label>Log Level Filters ( INFO, ERROR and WARN)</label>
<prefix>log_level="</prefix>
<suffix>"</suffix>
</input>
<table>
<search>
<query>index=_internal sourcetype=splunkd $tokLogLevelOption2Filter$
| stats count by log_level</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Please try out and confirm!
@splunk_vb, if you are on Splunk 6.6 or later, this should be fairly easy with the IN operator for multiple value comparison. For previous versions of Splunk you may have to run an independent search to set multiple OR conditions similar to the one mentioned in your question. (PS: Search event handler <done> is used in version 6.5 or higher, which was <finalized> in version 6.4 or before.)
Please try the following run anywhere dashboard example based on Splunk's _internal index which has log_level values as INFO, WARN and ERROR for testing and showcasing both the scenarios:
Following is the Simple XML Code for screenshot attached:
<form>
<label>Text Box Multiple Value Filter</label>
<!-- Independent search to prepare filter data for Option 2-->
<search>
<query>| makeresults
| fields - _time
| eval filterData=$tokLogLevelOption2|s$
| eval filterData=replace(filterData,",","\" OR log_level=\"")</query>
<done>
<set token="tokLogLevelOption2Filter">$result.filterData$</set>
</done>
</search>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label>Select Time</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Option 1: Splunk 6.6 or higher with IN clause</title>
<input type="text" token="tokLogLevelOption1" searchWhenChanged="true">
<label>Log Level Filters ( INFO, ERROR and WARN)</label>
</input>
<table>
<search>
<query>index=_internal sourcetype=splunkd log_level IN ($tokLogLevelOption1$)
| stats count by log_level</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Option 2: Splunk 6.5 or prior with OR clause</title>
<input type="text" token="tokLogLevelOption2" searchWhenChanged="true">
<label>Log Level Filters ( INFO, ERROR and WARN)</label>
<prefix>log_level="</prefix>
<suffix>"</suffix>
</input>
<table>
<search>
<query>index=_internal sourcetype=splunkd $tokLogLevelOption2Filter$
| stats count by log_level</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Please try out and confirm!
