Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I pass a boolean string in token

tkwaller1
Path Finder
‎12-12-2023 08:40 AM

Hello

 

Im working on testing something but Im not sure exactly would be the best solution. What I am trying to do is, using the timepicker, have a panel that loads id's. Then I'd like another panel to search over the same timespan, in a different dataset, but only for the id's from the first panel.


Is there a way to pass the results of a search that runs on page load to another search, maybe with a token(s)? the catch is that there may be a single id or there may be many id's. It would have to be a boolean of some sort I believe unless there's a better way to search one to many instances of a something.
 
My thinking is something like 
search 1:
<base search> | stats count by MSGID | fields - count
that populates a <tok> on page load(or time selection) but the results would have to be formatted like 

 

654165464 OR MSGID=584548549494 OR MSGID=54654645645

 


search 2
<base search2> MSGID=<tok> | stats count by MSGID | fields - count

Is this something that can be done? What might I have to do to accomplish this?

Thanks for the assistance!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:17 AM

Yes, I believe it can be done.  The first search should be followed by a <done> element within which a token is set to one of the result fields of the search.  That token is then referenced in the second search.

<search><query>blahblahblah</query>
  <done>
    <set token=foo>$results.foo$</set>
  </done>
</search>

If the second search expects the contents of the token to be in a particular format then the query should generate that format or you may be able to use an <eval> element within <done> to produce the desired structure.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 11:17 AM

Yes, I believe it can be done.  The first search should be followed by a <done> element within which a token is set to one of the result fields of the search.  That token is then referenced in the second search.

<search><query>blahblahblah</query>
  <done>
    <set token=foo>$results.foo$</set>
  </done>
</search>

If the second search expects the contents of the token to be in a particular format then the query should generate that format or you may be able to use an <eval> element within <done> to produce the desired structure.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...