All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a new token by concatenating a value to another token?

esimon
Engager
‎11-08-2024 01:36 PM

I have dashboard in Splunk Cloud which uses a dropdown input to determine the index for all of the searches on the page, with a value like "A-suffix", "B-suffix", etc. However, now I want to add another search which uses a different index but has `WHERE "column"="A"`, with A being the same value selected in the dropdown, but without the suffix. I tried using eval to replace the suffix with an empty string, and I tried changing the dropdown to remove the suffix and do `index=$token$."-suffix"` in the other queries, but I can't get anything to work. It seems like I might be able to use `<eval token="token">` if I could edit the XML, but I can only find the JSON source in the web editor and don't know how to edit the XML with Dashboard Studio.

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 10:54 PM

Hi @esimon ,

use a regex (rex command) to extract the first part of the token.

In othe words, if the token is "A-12345" and you want to use index="A-12345" and for the WHERE condition column="A", you could try:

index="$token$"
| rex field="$token$" "^(?<my_field>[^-]*)"
| where column="my_field"
| ...

But also the eval should run.

Ciao.

Giuseppe

Reply

esimon
Engager
‎11-12-2024 07:33 AM

Hey Giuseppe,

Thanks so much for the reply! That also doesn't seem to work, when I add it I get `Error in 'mstats' command: This command must be the first command of a search.`, I guess I should have mentioned that I was using mstats, I didn't totally realize that it had special rules. That might also be why eval isn't working as expected.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...