https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380050#M168958 <P>Hi, </P> <P>This can be achieve by a simple token you can use refer the below sample. </P> <P>Description:</P> <P>Token named "token" can be set to the search based on user selection. With this example i've used the internal index, you may want to try with your index. </P> <BLOCKQUOTE> <P>Note: This sample will run only you<BR /> have access to internal index.</P> </BLOCKQUOTE> <PRE><CODE>&lt;form&gt; &lt;label&gt;Sample&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="dropdown" token="token" searchWhenChanged="true"&gt; &lt;label&gt;Your Token&lt;/label&gt; &lt;choice value="index=_internal | head 10 | stats c by host"&gt;host&lt;/choice&gt; &lt;choice value="index=_internal | head 10 | stats c by sourcetype, host"&gt;sourcetype, host&lt;/choice&gt; &lt;choice value="index=_internal | head 10 | stats c by source, host, sourcetype"&gt;source, host, sourcetype&lt;/choice&gt; &lt;default&gt;index=_internal | head 10 | stats c by host&lt;/default&gt; &lt;initialValue&gt;index=_internal | head 10 | stats c by host&lt;/initialValue&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;$token$&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> <P>Thanks,<BR /> V</P> Mon, 11 Jun 2018 16:15:18 GMT vasanthmss 2018-06-11T16:15:18Z https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380049#M168957 <P>Hello,</P> <P>I have a doubt that I think it´s easy to respond, but until now, I have no results.<BR /> I want to make an query that depends on the result of a token, example:</P> <UL> <LI>If the token is set to yeallow, <UL> <LI>then the following query will be executed: index=a | stats count by field.name1</LI> </UL></LI> <LI>If the token is set to red, <UL> <LI>then the following query will be executed: index=b | stats count by field.name2, field.name4</LI> </UL></LI> <LI>If the toke is set to green, <UL> <LI>then the following query will be executed: index=c | stats count by field.name3, field.name5, field.name6</LI> </UL></LI> </UL> <P>How can I achieve this?</P> <P>Thanks in advance.</P> <P>Best regards.</P> Mon, 11 Jun 2018 15:45:00 GMT https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380049#M168957 splunk_exercice 2018-06-11T15:45:00Z https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380050#M168958 <P>Hi, </P> <P>This can be achieve by a simple token you can use refer the below sample. </P> <P>Description:</P> <P>Token named "token" can be set to the search based on user selection. With this example i've used the internal index, you may want to try with your index. </P> <BLOCKQUOTE> <P>Note: This sample will run only you<BR /> have access to internal index.</P> </BLOCKQUOTE> <PRE><CODE>&lt;form&gt; &lt;label&gt;Sample&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="dropdown" token="token" searchWhenChanged="true"&gt; &lt;label&gt;Your Token&lt;/label&gt; &lt;choice value="index=_internal | head 10 | stats c by host"&gt;host&lt;/choice&gt; &lt;choice value="index=_internal | head 10 | stats c by sourcetype, host"&gt;sourcetype, host&lt;/choice&gt; &lt;choice value="index=_internal | head 10 | stats c by source, host, sourcetype"&gt;source, host, sourcetype&lt;/choice&gt; &lt;default&gt;index=_internal | head 10 | stats c by host&lt;/default&gt; &lt;initialValue&gt;index=_internal | head 10 | stats c by host&lt;/initialValue&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;$token$&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> <P>Thanks,<BR /> V</P> Mon, 11 Jun 2018 16:15:18 GMT https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380050#M168958 vasanthmss 2018-06-11T16:15:18Z https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380051#M168959 <PRE><CODE>&lt;form&gt; &lt;label&gt;Sample&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="dropdown" token="selected" searchWhenChanged="true"&gt; &lt;label&gt;Your Token&lt;/label&gt; &lt;choice value="field.name1"&gt;Yellow&lt;/choice&gt; &lt;choice value="field.name2, field.name4"&gt;red&lt;/choice&gt; &lt;choice value="field.name3, field.name5, field.name6"&gt;green&lt;/choice&gt; &lt;default&gt;Yellow&lt;/default&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;title&gt;|stats count by $selected$&lt;/title&gt; &lt;single&gt; &lt;search&gt; &lt;query&gt;|makeresults |eval tokenvalue="$selected$"&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;/single&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> Tue, 12 Jun 2018 06:26:44 GMT https://community.splunk.com/t5/Splunk-Search/Different-query-s-based-on-the-result-of-previous-Token/m-p/380051#M168959 harishalipaka 2018-06-12T06:26:44Z