Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

generate dynamic search using lookup

splunk403
Explorer
‎03-01-2017 01:11 PM

Hi All ,

I had a lookup table with servername and jvmname :

ServerName Jvmname
server1 jvm1
server1 jvm2
server1 jvm3

Able to get server1 in drop down through lookup .From the dropdown when i select server1 ,how can i generate search query similar to below

sourcetype=jvmtype (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)

Any quick help is highly appreciated .

Thanks

Tags (1)
0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎03-01-2017 03:24 PM 
your base search 
    [|inputlookup myinput.csv | search ServerName=$TheServerToken$ |
     table Jvmname | rename Jvmname as jvm | format] 
| whatever else you want to do with the search

in the above code $TheServerToken$ would be whatever value you are passing back from the dropdown.

What this subsearch does is create a table of desired values for jvm, and then the format command changes the output from the subsearch to look like

 ((jvm="jvm1") OR (jvm="jvm2") OR (jvm="jvm3"))

When the subsearch returns that code into the original base search, the search acts like that code was always there.

0 Karma
Reply

splunk403
Explorer
‎03-01-2017 04:58 PM

Thanks for the prompt response .This is one way of achieving it .

Is there a way we can get through token or field value when we select a server in drop down(multiselect or single select) as this is common logic in all panels

Thanks

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎03-01-2017 06:11 PM

That's what i just gave you. The server value is what you feed into $TheServerToken$ in that subsearch in order to pull the jvm data from the lookup table and feed it to the search.

0 Karma
Reply

splunk403
Explorer
‎03-02-2017 01:48 PM

Hi Dal,

Subsearch will increase overhead .I am looking if the token value of drop down selected should generate/should be like a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Like when i selected server1 in drop down the token value of it should be a string like " (jvm=jvm1 OR jvm=jvm2 OR jvm=jvm2)"

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...