How to create a new token by concatenating a value...

esimon · ‎11-08-2024

I have dashboard in Splunk Cloud which uses a dropdown input to determine the index for all of the searches on the page, with a value like "A-suffix", "B-suffix", etc. However, now I want to add another search which uses a different index but has `WHERE "column"="A"`, with A being the same value selected in the dropdown, but without the suffix. I tried using eval to replace the suffix with an empty string, and I tried changing the dropdown to remove the suffix and do `index=$token$."-suffix"` in the other queries, but I can't get anything to work. It seems like I might be able to use `<eval token="token">` if I could edit the XML, but I can only find the JSON source in the web editor and don't know how to edit the XML with Dashboard Studio.

gcusello · ‎11-08-2024

Hi @esimon ,

use a regex (rex command) to extract the first part of the token.

In othe words, if the token is "A-12345" and you want to use index="A-12345" and for the WHERE condition column="A", you could try:

index="$token$"
| rex field="$token$" "^(?<my_field>[^-]*)"
| where column="my_field"
| ...

But also the eval should run.

Ciao.

Giuseppe

esimon · ‎11-12-2024

Hey Giuseppe,

Thanks so much for the reply! That also doesn't seem to work, when I add it I get `Error in 'mstats' command: This command must be the first command of a search.`, I guess I should have mentioned that I was using mstats, I didn't totally realize that it had special rules. That might also be why eval isn't working as expected.

How to create a new token by concatenating a value to another token?

search

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services