Archive
Highlighted

generate dynamic search using lookup

Explorer

Hi All ,

I had a lookup table with servername and jvmname :

ServerName Jvmname
server1 jvm1
server1 jvm2
server1 jvm3

Able to get server1 in drop down through lookup .From the dropdown when i select server1 ,how can i generate search query similar to below

sourcetype=jvmtype (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)

Any quick help is highly appreciated .

Thanks

Tags (1)
0 Karma
Highlighted

Re: generate dynamic search using lookup

SplunkTrust
SplunkTrust
your base search 
    [|inputlookup myinput.csv | search ServerName=$TheServerToken$ |
     table Jvmname | rename Jvmname as jvm | format] 
| whatever else you want to do with the search

in the above code $TheServerToken$ would be whatever value you are passing back from the dropdown.

What this subsearch does is create a table of desired values for jvm, and then the format command changes the output from the subsearch to look like

 ((jvm="jvm1") OR (jvm="jvm2") OR (jvm="jvm3"))

When the subsearch returns that code into the original base search, the search acts like that code was always there.

0 Karma
Highlighted

Re: generate dynamic search using lookup

Explorer

Thanks for the prompt response .This is one way of achieving it .

Is there a way we can get through token or field value when we select a server in drop down(multiselect or single select) as this is common logic in all panels

Thanks

0 Karma
Highlighted

Re: generate dynamic search using lookup

SplunkTrust
SplunkTrust

That's what i just gave you. The server value is what you feed into $TheServerToken$ in that subsearch in order to pull the jvm data from the lookup table and feed it to the search.

0 Karma
Highlighted

Re: generate dynamic search using lookup

Explorer

Hi Dal,

Subsearch will increase overhead .I am looking if the token value of drop down selected should generate/should be like a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Like when i selected server1 in drop down the token value of it should be a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Thanks

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.