https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270227#M81330 <P>Hi guys! <BR /> I have a bunch of test data in JSON files as my sources and they're structured in the following way: <BR /> "/MyFolder/ProjectName/RunID/jsonFile" such as for example "/MyFolder/test1/47/ErrorMessages.json". <BR /> I want to populate two drop down menus in my dashboards with ProjectName and RunID. <BR /> So that the first drop down get populated with Project names that the user can select. I then use this selection as a token in the second drop down menu and populate it with all the runs for that project. I now have two tokens that I can use for searching. <BR /> How can I best go about this? If there's a search I can do directly in Splunk to table all the project names and RunIDs this would of course be the easiest and most ideal. Otherwise I guess I'd have to start looking into creating a regEx or a lookup, but I'm not very proficient at those =p <BR /> Any help is greatly appreciated! <BR /> Thanks you! </P> Thu, 08 Sep 2016 11:51:20 GMT external_alien_ 2016-09-08T11:51:20Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270227#M81330 <P>Hi guys! <BR /> I have a bunch of test data in JSON files as my sources and they're structured in the following way: <BR /> "/MyFolder/ProjectName/RunID/jsonFile" such as for example "/MyFolder/test1/47/ErrorMessages.json". <BR /> I want to populate two drop down menus in my dashboards with ProjectName and RunID. <BR /> So that the first drop down get populated with Project names that the user can select. I then use this selection as a token in the second drop down menu and populate it with all the runs for that project. I now have two tokens that I can use for searching. <BR /> How can I best go about this? If there's a search I can do directly in Splunk to table all the project names and RunIDs this would of course be the easiest and most ideal. Otherwise I guess I'd have to start looking into creating a regEx or a lookup, but I'm not very proficient at those =p <BR /> Any help is greatly appreciated! <BR /> Thanks you! </P> Thu, 08 Sep 2016 11:51:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270227#M81330 external_alien_ 2016-09-08T11:51:20Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270228#M81331 <P>Since the ProjectName and RunID as part of the source/file path is something custom to your requirement, there will not be any readily available table to get you that.</P> <P>Once this you can try is to run a metadata/tstats search to get list of all sources (for your index/sourcetype of course) and use field extraction to get those values listed/made available for dashboard dropdowns. Following search can give you list of ProjectName adn RunID from the source:- </P> <PRE><CODE>| tstats count WHRE index=PutYourIndex sourcetype=PutYourSourceType by source | rex field=source "^\/[^\/]+\/(?&lt;ProjectName&gt;[^\/]+)\/(?&lt;RunID&gt;[^\/]+)" | stats count by ProjectName RunID | table ProjectName RunID </CODE></PRE> <P>Now you can either use the search directly for the dropdown OR setup a scheduled search to write this data into a lookup file and then use the lookup file for the dropdown.</P> Thu, 08 Sep 2016 18:23:26 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270228#M81331 somesoni2 2016-09-08T18:23:26Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270229#M81332 <P>do you want something like this?<BR /> | rex field=source "\/(?P[^\/]+)\/(?P[^\/]+)\/(?P[^\/]+)"</P> Fri, 09 Sep 2016 07:31:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270229#M81332 astalv 2016-09-09T07:31:07Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270230#M81333 <P>Beautiful, worked perfectly! Exactly what I needed!<BR /><BR /> Thank you! <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> </P> Fri, 09 Sep 2016 13:37:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-a-source-folder-as-a-input-token/m-p/270230#M81333 external_alien_ 2016-09-09T13:37:13Z