I'm trying to create a training dashboard based on Multiselect and the HTTP status code.
If I create the Multiselect through the GUI and only select a single value - all works fine.
But when I select more than 1 value, the search fails.
The reason is that the search is created as ---- status="200 OR 503" ----- (I added the OR separator)
If I remove the "" it all works fine but nowhere in the GUI do you have a choice to omit the ""
try using " OR status="
as the delimiter
Tried a few approaches but your suggestion gives me
status="200 OR status=400"
Then I tried adding a leading " in the separator, but then I get
status="400\" OR status=200"
Trying exactly what you wrote gives me
status="200\" OR status=\"400"
Somehow Search seems to think I don't speak SPL good enough 😞
BTW - running on 7.0
can you send a snippet of the simpleXML for this input? i'm not sure why the \\
would be added.
I have to correct myself. This is a 6.6.2 instance for a Rookie session.
Here's what the XML looks like:
Blockquote
<input type="multiselect" token="status_token" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>sourcetype=access_combined* product_id=$product_token|s$| stats count by status</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
<delimiter> OR </delimiter>
</input>
doing this should work and you shouldn't need the |s
in status_token
in your search because the statuses are all numerical fields, so there really isn't a need to enclose them in quotes.
<input type="multiselect" token="status_token" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>sourcetype=access_combined* product_id=$product_token|s$| stats count by status</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>*</default>
<delimiter> OR status=</delimiter>
</input>
Thanks
The key was the numerical fields so now the working solution looks like
sourcetype=access_combined* product_id=$product_token|s$ status=$status_token$| iplocation clientip | geostats count by status
Didn't see any point in using a different syntax for a numerical field vs a text field - but then again 🙂