Hey guys
I'd like to have a multiselect populate a raw string search but some of the values end in whitespace.
<choice value="some raw string that option1 represents ending in a space ">option1</choice>
<choice value="some raw string that option2 represents not ending in a space">option2</choice>
<choice value="some raw string that option3 represents ending in a space ">option3</choice>
<delimiter> OR </delimiter>
<valuePrefix>'</valuePrefix>
<valueSuffix>'</valueSuffix>
And then index=myindex $multiselect$
However this does not work since the trailing space at the end of the choice value is cut off. Escaping with nbsp throws an error, and a few other whitespace escapes that I tried do not work either. https://stackoverflow.com/questions/514635/represent-space-and-tab-in-xml-tag does not work for SimpleXML.
Any ideas??
@nick405060 can you try the following run anywhere example based on sample code provided in the question?
Instead of Space in the Value of Multiselect I have used ###
which I have later replaced with a space using independent search to process the token value returned from the multiselect.
<form>
<label>multiselect with trailing spaces</label>
<fieldset submitButton="false">
<input type="multiselect" token="tokMultiSelectInput" searchWhenChanged="true">
<label>Multiselect</label>
<choice value="some raw string that option1 represents ending in a space###">Option 1</choice>
<choice value="some raw string that option2 represents not ending in a space">Option 2</choice>
<choice value="some raw string that option3 represents ending in a space###">Option 3</choice>
<delimiter> OR </delimiter>
<valuePrefix>'</valuePrefix>
<valueSuffix>'</valueSuffix>
</input>
</fieldset>
<!-- Independent Search to Format results from Multiselect Input to be used in Search -->
<search>
<query>| makeresults
| fields - _time
| eval tokMulti=replace("$tokMultiSelectInput$","###"," ")
</query>
<done>
<set token="tokMulti">$result.tokMulti$</set>
</done>
</search>
<row>
<panel>
<html>
<div>tokMulti: $tokMulti$</div>
</html>
</panel>
</row>
</form>
@nick405060 can you try the following run anywhere example based on sample code provided in the question?
Instead of Space in the Value of Multiselect I have used ###
which I have later replaced with a space using independent search to process the token value returned from the multiselect.
<form>
<label>multiselect with trailing spaces</label>
<fieldset submitButton="false">
<input type="multiselect" token="tokMultiSelectInput" searchWhenChanged="true">
<label>Multiselect</label>
<choice value="some raw string that option1 represents ending in a space###">Option 1</choice>
<choice value="some raw string that option2 represents not ending in a space">Option 2</choice>
<choice value="some raw string that option3 represents ending in a space###">Option 3</choice>
<delimiter> OR </delimiter>
<valuePrefix>'</valuePrefix>
<valueSuffix>'</valueSuffix>
</input>
</fieldset>
<!-- Independent Search to Format results from Multiselect Input to be used in Search -->
<search>
<query>| makeresults
| fields - _time
| eval tokMulti=replace("$tokMultiSelectInput$","###"," ")
</query>
<done>
<set token="tokMulti">$result.tokMulti$</set>
</done>
</search>
<row>
<panel>
<html>
<div>tokMulti: $tokMulti$</div>
</html>
</panel>
</row>
</form>
Ah. That would do it. Figured I'd see a @niketnilay response on this one! Thanks a bunch
I had some major problems properly escaping quotes with this method. If it wasn't for the trailing space regular valuePrefixes/Suffixes would have done the trick. If it helps anyone else, I did get this method working though: (I took the removed items mentioned from the final query, so this is not copy and pasteable. But it is besides that query.)
<form>
<label>VPN Activity</label>
<description></description>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="TIMERANGE" searchWhenChanged="false">
<label>Time range:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
<change>
<eval token="earliest_epoch_onChange">case(isnum($earliest$), $earliest$, $earliest$=="now", time(), $earliest$="", 0, true(), relative_time(time(), $earliest$))</eval>
<eval token="latest_epoch_onChange">case(isnum($latest$), $latest$, $latest$=="now", time(), true(), relative_time(time(), $latest$))</eval>
</change>
</input>
<input type="text" token="earliest_epoch" depends="$justHideMe$">
<default>$earliest_epoch_onChange$</default>
</input>
<input type="text" token="latest_epoch" depends="$justHideMe$">
<default>$latest_epoch_onChange$</default>
</input>
<input type="text" token="networkIdOnChange" searchWhenChanged="false">
<label>NetworkID:</label>
<default>Enter ID</default>
</input>
<input type="text" token="networkId" depends="$justHideMe$">
<default>$networkIdOnChange$</default>
</input>
<input type="text" token="ipOnChange" searchWhenChanged="false">
<label>IP:</label>
<default>*</default>
</input>
<input type="text" token="ip" depends="$justHideMe$">
<default>$ipOnChange$</default>
</input>
<!-- Full token is modded later so that trailing whitespaces and two "Group" formats can be included -->
<input type="multiselect" token="typesOnChange" searchWhenChanged="false" id="types_multiselect">
<label>Type</label>
<choice value="Group_">Group</choice>
<choice value="TunnelGroup">TunnelGroup</choice>
<choice value="Teardown">Teardown</choice>
<choice value="Built">Build</choice>
<choice value="Deny">Deny</choice>
<choice value="Disconnected">Disconnected</choice>
<choice value="Access-list">Access-List</choice>
<choice value="AAA">AAA User Auth</choice>
<choice value="User_">Admin User</choice>
<default>Admin User</default>
<delimiter> OR </delimiter>
</input>
<input type="text" token="types_unformatted" depends="$justHideMe$">
<default>$typesOnChange$</default>
</input>
<input type="dropdown" token="advancedOnChange" searchWhenChanged="false">
<label>Use advanced field extractions?</label>
<choice value="yes">Yes</choice>
<choice value="no">No</choice>
<default>No</default>
</input>
<input type="text" token="advanced" depends="$justHideMe$">
<default>$advancedOnChange$</default>
</input>
</fieldset>
<!-- Multiselect mod-->
<search>
<query>
| makeresults | eval orig="$types_unformatted$" | eval temp=orig
| eval temp=replace(temp,"Group_","\"Group = \" OR \"Group <\"")
| eval temp=replace(temp,"TunnelGroup","\"TunnelGroup \"")
| eval temp=replace(temp,"Teardown","\"Teardown \"")
| eval temp=replace(temp,"Built","\"Built \"")
| eval temp=replace(temp,"Deny","\"Deny \"")
| eval temp=replace(temp,"Disconnected","\"Disconnected\"")
| eval temp=replace(temp,"Access-list","\"access-list\"")
| eval temp=replace(temp,"AAA","\"AAA user authentication Rejected\"")
| eval temp=replace(temp,"User_","(\"User \'\" NOT \"access-list\")")
</query>
<done>
<set token="types">$result.temp$</set>
<set token="types_string">$result.orig$</set>
</done>
</search>
<row>
<panel depends="$alwaysHideCSS$">
<html>
<style>
#types_multiselect div[data-component="splunk-core:/splunkjs/mvc/components/MultiDropdown"]{
width: 275px !important;
}
#types_multiselect div[data-view="splunkjs/mvc/multidropdownview"]{
width: 275px !important;
margin-right: auto !important;
}
.fieldset .input{
width:auto !important;
}
</style>
</html>
</panel>
</row>
<row>
<panel>
<title></title>
<table>
<search>
<query>
index=asa $networkId$ $types$ $ip$ |
-- many regexes that use "$types_string$" go here -- |
table goodfields * | fields - badfields | eventstats count as _count
</query>
<earliest>$earliest_epoch$</earliest>
<latest>$latest_epoch$</latest>
<preview>
<set token="vpn_count">$result._count$</set>
</preview>
</search>
</table>
</panel>
</row>
</form>
Can you use the Token Value Suffix and append an *. This would allow for when there is or isn't a whitespace at the end.
It still trims the whitespace
assuming this is the same as your other question?
it is not. the workaround for this that I thought of is the other question, although that workaround also is not working https://answers.splunk.com/answers/750198/is-it-possible-to-use-match-in-an-initial-search-e.html