Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I format output with boolean for one or more results

tkwaller1
Path Finder
‎12-14-2023 07:51 AM

Hello

I am working on creating a search that eval's results and adds boolean strings. the results will then be passed as a token to later searches. The result of the search could be a single ID or multiple IDs.

The idea is that the first panel lists IDs. The next panel in the dashboard will search an index but only for IDs from the first panel. 

For example:

Panel 1

index=db source=MSGTBL  MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>"
| eval MSGID1="MSGID="+MSGID+" OR"
| table MSGID

might give you a table of MSGIDs:
MSGID=56454GF-5RT1KL-566IOS-FT5GFAS OR
MSGID=56454GF-65WE-566IOS-5845UIK OR
MSGID=SD8734-DFH745-DFHJ7867-GKJH8 OR

I can then set that as a token like

<done>
  <set token="tokMSGID1">$result.MSGID1$</set>
</done>

 

The issue im having is that if there is only a single MSGID it will have an 'OR' at the end as well as the last result in a set of IDs would have the 'OR' at the end.

Can anyone tell me search-wise how to handle this?

Thanks!

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2023 09:34 AM

Check out the format command.  It will put the available fields into a sequence of OR clauses.

index=db source=MSGTBL  MSG_src="XXXX" MSG_DOMAIN="CCCCCCCC" "<messageType>AAA</messageType>"
| fields MSGID
| format

 

---
If this reply helps you, Karma would be appreciated.
Reply

tkwaller1
Path Finder
‎12-14-2023 10:23 AM

I like it.
I added some sed commands to pull out the parenthesis as it was causing issues searching once the values were passed via token. but once I did that the rest of the panels worked.

Thanks!

 
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...