Advance XML

arossouw_splunk · ‎05-06-2013

Recently I created an app which includes a an inputlookup. (We actually stole this one from the Webintelligence app):

We use this later to “addterm” into inline searches:

<module name="ConvertToIntention">
  <param name="settingToConvert">domain_setting</param>
  <param name="intention">
    <param name="name">addterm</param>
    <param name="arg">
      <param name="uri">$target$</param>
    </param>

In general this works fine.
Now my problem is that my inputlookup can create multi-value fields.
What my SearchSelectLister is doing now is, that I have one Dropdown-Entry for every value of the multi-value field.
What I want have is one Dropdown entry and put the addterm into the search including the multi-value field. In our case we are filtering out web-access-logs for certain entries with certain uri’s.

sideview · ‎06-18-2013

With Sideview Utils you can do this with ValueSetter and ArrayValueSetter.

the Pulldown or SearchSelectLister will have values like /DIR1/,/DIR2/,/DIR3/*

The ValueSetter will basically split the values on that sensible delimiter, so it will output an array-valued key containing the three values. (If comma is not a safe delimiter you just use a different char and specify a different delim param in ValueSetter.

Then ArrayValueSetter will turn the array valued key into the corresponding search expression, in this case uri="/DIR" OR uri="/DIR2/" OR uri="/DIR3/*"`

You could in theory use ConvertToIntention from there and turn this into a "stringreplace intention", but that's kind of crazy. If you're already using Sideview Utils you should just use the Sideview Search module instead of Splunk's HiddenSearch, and forget about intentions. With the search module you can just plug the key right in.

Also you could in theory keep using SearchSelectLister but the Sideview Pulldown module is far easier and more straightforward to deal with, so I would switch over there as well.

The next steps are really for you to check out Sideview Utils, read the first few pages in the docs, then read the docs and embedded living examples for Pulldown, Search, ValueSetter and ArrayValueSetter, and then you'll be on a very happy road. However to also give you a peek at what the final result will be, it's something like this. Including the search that feeds the Pulldown at the top, and the search into which we plug the boolean expression at the bottom. I also turned your multivalue source field into a more conventional string-valued field where the multiple values are explicitly separated by commas. This just makes everything a little more predictable and you dont have to split on space characters.

<module name="Search">
  <param name="search">
    | inputlookup sourcenames.csv | stats values(source) as source by sourcename | eval source=mvjoin(source,",")
  </param>

  <module name="Pulldown">
    <param name="name">uri</param>
    <param name="label">URI</param>
    <param name="valueField">source</param>

    <module name="ValueSetter">
      <param name="name">uriArray</param>
      <param name="delim">,</param>
      <param name="value">$uri$</param>

      <module name="ArrayValueSetter">
        <param name="name">uriSearch</param>
        <param name="array">$uriArray.rawValue$</param>
        <param name="template">uri="$value$"</param>
        <param name="separator">+OR+</param>
        <param name="outerTemplate">( $value$ )</param>

        <module name="Search">
          <param name="search">
            foo bar baz $uriSearch$ | timechart count
          </param>

Sideview Utils has a lot of modules and the bread-and-butter ones are simple straightforward modules like Search, TextField, Pulldown, Table, HTML etc.. Whereas ValueSetter and ArrayValueSetter are more advanced modules that you only need or use rarely. Once you get the hang of all of it you'll be using them in place of the corresponding Splunk modules and you'll find that your views are made up of mostly Sideview modules...

remember that while the latest Sideview Utils is free for internal use, you can only get it from the Sideview website:
http://sideviewapps.com/apps/sideview-utils

oestreicher · ‎06-18-2013

here is an example of the sourcenames.csv:

source, sourcename
/DIR1/* /DIR2/* /DIR3/*, Site with multiple values

We tried to put it in quotation marks also.

The

uri="/DIR1/* /DIR2/* /DIR3/*"

What we need is this:

uri="/DIR1/" OR "/DIR2/" OR "/DIR3/*"

enthusiast · ‎05-13-2013

Can you give an example on how to do that?
Can the SearchSelectLister stay as is?
How would the new "Convert to Intention" module would look like?

gkanapathy · ‎05-06-2013

You probably simply need to give up on using the addterm intention. I assume you want the invididual terms of MV OR'ed together as a base search, correct? If so, then what you need is for the MV field to get transformed into a string of that proper format. Depending on your search and other factors, you would do this in a subsearch (possibly via a macro) using the format or return search commands.

sideview · ‎05-13-2013

Or it's fairly easy in Sideview Utils and wouldn't need a subsearch. there are a couple ways to do it with various PostProcess/ResultsValueSetter/ArrayValueSetter techniques.

hexx · ‎05-06-2013

Can you please clarify:

* The actual values of a multi-value entry, as an example.
* What would you like the dropdown label to show for a multi-value entry?
* What search term(s) would you like the dropdown to add to the search string when the user picks a multi-value entry?

Advance XML

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life