Archive
Highlighted

generate dynamic search using lookup

Explorer

Hi All ,

I had a lookup table with servername and jvmname :

ServerName Jvmname
server1 jvm1
server1 jvm2
server1 jvm3

Able to get server1 in drop down through lookup .From the dropdown when i select server1 ,how can i generate search query similar to below

sourcetype=jvmtype (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)

Any quick help is highly appreciated .

Thanks

Tags (1)
0 Karma
Highlighted

Re: generate dynamic search using lookup

SplunkTrust
SplunkTrust
your base search 
    [|inputlookup myinput.csv | search ServerName=$TheServerToken$ |
     table Jvmname | rename Jvmname as jvm | format] 
| whatever else you want to do with the search

in the above code $TheServerToken$ would be whatever value you are passing back from the dropdown.

What this subsearch does is create a table of desired values for jvm, and then the format command changes the output from the subsearch to look like

 ((jvm="jvm1") OR (jvm="jvm2") OR (jvm="jvm3"))

When the subsearch returns that code into the original base search, the search acts like that code was always there.

0 Karma
Highlighted

Re: generate dynamic search using lookup

Explorer

Thanks for the prompt response .This is one way of achieving it .

Is there a way we can get through token or field value when we select a server in drop down(multiselect or single select) as this is common logic in all panels

Thanks

0 Karma
Highlighted

Re: generate dynamic search using lookup

SplunkTrust
SplunkTrust

That's what i just gave you. The server value is what you feed into $TheServerToken$ in that subsearch in order to pull the jvm data from the lookup table and feed it to the search.

0 Karma
Highlighted

Re: generate dynamic search using lookup

Explorer

Hi Dal,

Subsearch will increase overhead .I am looking if the token value of drop down selected should generate/should be like a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Like when i selected server1 in drop down the token value of it should be a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Thanks

0 Karma